#cbizmhmwebinar 1

CBIZ & MHM Executive Education Series™

Payment Card Industry Data Security Standards – PCI-DSS Update Karen Cassella & Brenda Brigman March 24 & March 29, 2016

#cbizmhmwebinar 2

Before We Get Started…

• To view this webinar in full screen mode, click on view options in the upper right hand corner.

• Click the Support tab for technical assistance.

• If you have a question during the presentation, please use the Q&A feature at the bottom of your screen.

#cbizmhmwebinar 3

CPE Credit

This webinar is eligible for CPE credit. To receive credit, you will need to answer periodic participation markers throughout the webinar. External participants will receive their CPE certificate via email immediately following the webinar.

#cbizmhmwebinar 4

Disclaimer

The information in this Executive Education Series course is a brief summary and may not include all

the details relevant to your situation.

Please contact your service provider to further discuss the impact on your business.

#cbizmhmwebinar 5

Karen Cassella is a Managing Director in the CBIZ Risk & Advisory

Services practice and has more than 20 years experience performing

internal and external audits, fraud investigations, SOX-404 compliance,

PCI compliance and various regulatory audit and consulting services in

the public and private sectors.

Karen led the effort for CBIZ to become a certified Qualified Security

Assessor (QSA) Company that is certified and approved by the Payment

Card Industry (PCI) Security Standards Council. Her team performs PCI

audits for merchants and service providers in the public and private

sectors at all levels.

901.842.2859 • kcassella@cbiz.com

KAREN CASSELLA, CICA Managing Director

Presenters

#cbizmhmwebinar 6

Presenters

Brenda is the National PCI Practice Leader for CBIZ Security & Advisory

Services. She has over 15 years of experience in Information Technology

Management and over 10 years of experience in Information Technology

Auditing, including internal audit and risk management. She has served

as an Engagement Manager on multiple Level 1 PCI engagements and

her industry experience includes in IT, manufacturing, financial services,

healthcare, insurance, hospitality, nonprofit and government.

Prior to joining CBIZ, Brenda has experience with KPMG as a Manager in

their Risk Assurance Services practice and served over 20 years with

Federal Express.

901.685.5575 •bbrigman@cbiz.com

BRENDA BRIGMAN, QSA, PCIP, CCSK, CISA, CISSP PCI National Practice Leader

#cbizmhmwebinar 7

Agenda

PCI-DSS Introduction – The Basics

02

01

03

04

Anatomy of a Breach

Cost of Noncompliance

Building a Robust PCI Compliance Program

05 Questions

#cbizmhmwebinar 8

PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS

THE BASICS

#cbizmhmwebinar 9

Who Must Comply?

All organizations, including merchants and service providers, that store, process and/or transmit cardholder data must validate that they are compliant with PCI DSS and provide proof of compliance to their acquirer once every year.

#cbizmhmwebinar 10

What is PCI-DSS?

Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements designed to protect credit card data. The credit card brands enforce the requirements which include an annual validation.

#cbizmhmwebinar 11

Payment Card Industry Security Standards Council – Brief History

#cbizmhmwebinar 12

What is Payment Card Data?

#cbizmhmwebinar 13

Six Objectives and 12 Requirements

Goals Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other

security parameters

Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

#cbizmhmwebinar 14

Merchant Levels (VISA)

Level Merchant Criteria

1 Any merchant-regardless of acceptance channel-processing

over 6,000,000 Visa transactions per year or any merchant that has suffered a data breach.

2 Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

3 Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year.

4 Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 transactions per year.

#cbizmhmwebinar 15

Merchant Validation Requirements (VISA)

Level Validation Requirements

1

• Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) or Internal

Security Assessor (ISA) if signed by officer of the company

• Quarterly network scan by Approved Scan Vendor (ASV) • Attestation of Compliance Form (AOC)

2 • Annual Self-Assessment Questionnaire (SAQ) • Quarterly network scan by ASV •AOC

3 • Annual SAQ • Quarterly network scan by ASV •AOC

4 • Annual SAQ • Quarterly network scan by ASV if applicable • Compliance validation requirements set by merchant bank

#cbizmhmwebinar 16

Payment Methods & Validation Requirements

SAQ Validation Type Merchant Payment Method

A Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third party service providers with no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premised.

A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website(s) that does not directly receive cardholder data but can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchants systems or premises.

B Merchants using only imprint machines with no electronic cardholder storage and/or standalone, analog dial-out terminals with no electronic cardholder data storage.

B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.

www.pcisecuritystandards.org

#cbizmhmwebinar 17

Payment Methods & Validation Requirements

SAQ Validation Type Merchant Payment Method

C-VT Merchant manually entering a single transaction at a time through a keyboard into an internet-based virtual payment terminal solution that is provided and hosted by a PCI-DSS validated third party service provider, no electronic cardholder data storage.

C Merchants with payment application systems connected to the internet, no electronic cardholder data storage.

P2PE Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no cardholder data storage.

D Merchants - all merchants not included in descriptions for the above SAQ types. Service Providers - all Service Providers defined by a payment brand as eligible to complete SAQ.

www.pcisecuritystandards.org

#cbizmhmwebinar 18

Questions for PCI DSS BASICS

• Who must validate compliance annually: A. Only merchants and service providers that have had a data breach B. All merchants that store, process or transmit cardholder data. C. All merchants and service providers that store, process or transmit

cardholder data regardless of the number of transactions. D. Only Merchants and service providers that process more than 20,000

transactions per year.

• If I need help understanding whether I can self-assess and which self-assessment form to use, my best course of action is to:

A. Obtain the forms from www.pcisecuritystandards.org B. Seek the assistance of a Qualified Security Assessor (QSA) C. Ignore the requirement because no one will ever know D. Both A and B

#cbizmhmwebinar 19

PCI DATA SECURITY STANDARDS

ANATOMY OF A BREACH

#cbizmhmwebinar 20

What is a Breach?

#cbizmhmwebinar 21

2015 Breaches by Industry

53%

19%

12%

8%

8% 2015

Business Sector

Government & Non-Profit

Medical

Unknown

Education

Source: Security Affairs: DATA BREACH QUICKVIEW

#cbizmhmwebinar 22

2015 US State Rankings

Risk Based Security – 2015 Data Breach Trends

#cbizmhmwebinar 23

Data Breach - Methods of Intrusion

Method Percentage

Weak remote access security 28%

Weak passwords 28%

Weak or non existent validation 15%

Unpatched vulnerability 15%

Misconfiguration 8%

Malicious Insider 6%

#cbizmhmwebinar 24

Anatomy of a Breach

#cbizmhmwebinar 25

Data Security Observation – RISK!

“Some organizations will be a target regardless of what they do, but most become a target because of what they do.”

#cbizmhmwebinar 26

Questions for Anatomy of a Breach?

• If I do not validate PCI DSS compliance annually: A. the acquirer can revoke my right to accept credit cards B. I am at greater risk for a data breach C. All merchants and service providers D. Both A and B

• I do not have to worry about a data breach because I have cyber security insurance. A. True or False

• I do not have to worry about a data breach because I process very few transactions. A. True or False

#cbizmhmwebinar 27

PCI DATA SECURITY STANDARDS

COST OF NON-COMPLIANCE

#cbizmhmwebinar 28

PCI Non-Compliance

Merchants and service providers that do not submit proof of compliance to their acquirer can be subject to the following: • Penalties and fines for non-compliance (breach of contract) • Fines from card brands passed on seen in increased processing

fees • The ability to accept credit card payments can be revoked • Failure to implement PCI DSS requirements can lead to data

breach

#cbizmhmwebinar 29

Data Breach Costs

The merchant can incur or be held liable for the following costs associated with a data breach:

• Cost to notify victims and provide credit monitoring • Cost to replace payment cards (credit, debit, HSA, gift) • Cost associated with fraudulent transactions • Forensic investigations • Increasing validation requirements and frequency • Incurring expense associated with revalidation by a QSA

Once a merchant has been breached, the merchant can no longer self-assess

#cbizmhmwebinar 30

What’s at Stake for Nonprofits and Public Sector?

• Significant risk to reputation • Donor’s trust • Credit card data stored for recurring membership or donations

payments are at risk • Funding can be difficult to obtain or allocate for internal

projects • Mobile payments at conferences or events pose a greater risk

#cbizmhmwebinar 31

Data Breach Response

#cbizmhmwebinar 32

Questions for Cost of Non Compliance ?

• If I do not validate PCI DSS compliance annually: A. the acquirer can assess costly fines and penalties B. I am at greater risk for a data breach C. the ability to accept credit cards can be revoked D. All the above

• My acquirer has not requested proof of compliance for me

so I do not have to validate my compliance. A. True or False

#cbizmhmwebinar 33

PCI DATA SECURITY STANDARDS

BUILD A ROBUST PCI COMPLIANCE PROGRAM

#cbizmhmwebinar 34

Six Objectives and Twelve Requirements

Goals Requirements

Build and Maintain a Secure Network

1. Install and Maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other

security parameters

Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

https://www.pcisecuritystandards.org

#cbizmhmwebinar 35

Robust PCI DSS Compliance Program

• Executive commitment and oversight

• Scoped accurate

• Controls and control tests must be objective, valid,

reliable and economical

• Report annually

• Monitor and nurture PCI sustainment program

#cbizmhmwebinar 36

Cardholder Data Environment Scoped Accurately

#cbizmhmwebinar 37

Controls, Test and Evidence Clearly Defined

• Objective • Test must be fair

• Valid • Must consistently measure a specific ability

• Reliable • Sufficient evidence and clear understanding of

accountable individuals • Economical

• Design control tests to be efficient and cost conscious

#cbizmhmwebinar 38

Report Annually

• File your Attestation of Compliance (AOC) with your acquirer on an annual basis.

• Inform your acquirer if your assessment results will be delayed.

• Maintain evidence with the report for at least two years (or in accordance with your company data retention policy).

#cbizmhmwebinar 39

Monitor and Nurture PCI Sustainment Program

• Define a test schedule for the year and monitor controls throughout the year.

• Monitor and report the status of control testing on a consistent basis.

• Ensure that any control failures are remediated and retested in a timely manner.

#cbizmhmwebinar 40

Questions for Building a Robust PCI Compliance Program

• True or False: Scoping is one of the most important functions of the annual PCI compliance assessment.

• True or False: The best PCI DSS Compliance Programs have a champion to promote security and build a strong security culture.

#cbizmhmwebinar 41

Marketability of your PCI Compliance

Once your organization is PCI compliant, publish this stamp on your website.

#cbizmhmwebinar 42

? QUESTIONS

#cbizmhmwebinar 43

If You Enjoyed This Webinar…

Upcoming Courses: • 3/31: Building an Actionable and Easy-to-Implement Business Continuity Plan

• 4/5 & 4/19: Leasing Unleashed - A Deep Dive into the New Standard

• 4/13 & 4/20: First Quarter Accounting and Financial Reporting Issues Update

• 4/28 & 5/17: Top Lessons Learned from the First Year of the Uniform Grant Guidance Implementation

Recent Publications: • Report Asks for 501(c)(3) Application Improvements

• Managing Underwater Endowments for Not-for-Profit Organizations

• Does Your Not-for-Profit Need an Audit of Its Marketing, Fundraising Streams and Advertising?

#cbizmhmwebinar 44

Connect with Us

linkedin.com/company/ mayer-hoffman-mccann-p.c.

@mhm_pc

youtube.com/ mayerhoffmanmccann

slideshare.net/mhmpc

linkedin.com/company/ cbiz-mhm-llc

@cbizmhm

youtube.com/ BizTipsVideos

slideshare.net/CBIZInc

MHM CBIZ

#cbizmhmwebinar 45

THANK YOU CBIZ Security & Advisory Services , LLC cbizmhmwebinars@cbiz.com