PCI

Compliance
Overview
 PCI Background

• 2000 – Visa introduces CISP for the USA

• 2001 – Visa mandates CISP for all merchants

• Other card companies follow suit with their own programs

(i.e. MasterCard’s SDP program)

• 2005 – Payment Card Industry (PCI) announces the Data

Security Standard (DSS), with joint support from all major card
brands, which went info full effect on June 30, 2005

• 2006 – PCI Security Standards Council is formed and PCI DSS

v1.1 is released
PCI Data Security Standard
12 Main Requirements
PCI Classifications
PCI Validation Requirements
Who and What Needs to be PCI
Compliant?

• The PCI Data Security Standard applies to all

members, merchants and service providers that store,
process or transmit cardholder data

• All PCI requirements must be met in order to be

considered in compliance

• The requirements apply to all “system components”

– defined as "any network component, server, or application
included in, or connected to, the cardholder data
environment.”
PCI DSS: Only FULL Compliance
Counts!

The PCI Data Security Standard is made up of:

• 6 Primary objectives

• 12 Main requirements

• Around 230 specific requirements

A single requirement not being met = non-compliance

 PCI Non-Compliance Penalties
• Nothing is set in stone – showing due diligence is key
• Non-compliant Level 1 and Level 2 merchants are being fined up
to $25,000 per month, as of October 1, 2007 and January 1, 2008,
respectively
• May have credit card processing privileges revoked
• May be reported to the Terminated Merchant File (MATCH list),
which is available to other acquirers
• In the case of a breach or incident:
– Up to $500,000 in fines per incident, per card brand
– Will be responsible for a full-scale investigation and remediation
costs
– Must obtain PCI compliance certification in order to continue
processing credit card transactions
– Unlimited liability for fraudulent transactions
– Civil liabilities (i.e. class action law-suits)
– Lost consumer confidence / negative impact to brand image
Auditor’s Perspective: Common Areas of Non-
Compliance
 1 - Network Segmentation
• Scope is defined as “…all system components …
included in, or connected to, the cardholder data
environment”

• Network segmentation is THE KEY to controlling the

cost of PCI compliance!

• Use internal firewalls to contain the cardholder data

environment and minimize the audit scope
Example Network with Cardholder Data Highlighted
Example Network – PCI Audit Scope
Example Network with Added Segments for Cardholder Data
Example Network – PCI Audit Scope with Added Segmentation
 2 - Data Encryption
• Requirement 3.3: Mask account numbers when displayed (only show
first 6 digits and last 4 digits)

– Except for employees who must see full credit card numbers due to
job function

• Requirement 3.4: “Render sensitive cardholder data unreadable

anywhere it is stored…”
– In databases
– In logs
– On backup tapes or portable media

• Requirement 3.6: Fully document and implement secure key

management processes

• Requirement 4: Encrypt transmission of cardholder and sensitive

information across public networks
 3 - Logging and Monitoring
• Requirement 10: Track and monitor all access to network resources and
cardholder data

• 10.5: Secure audit trails so they cannot be altered

• 10.6: Review logs for all system components at least daily

• 10.7: Retain audit trail history (normally for at least a year)

• 11.4: Use IDS/IPS to monitor all network traffic and alert personnel to
suspected compromises

• 11.5: Deploy file integrity monitoring

 4 - Policies & Procedures
• 12.1: Must establish, publish, maintain and disseminate a
comprehensive security policy (reviewed and updated at least annually)

• 12.2: Must develop daily security administration procedures

• 12.4: Assign information security responsibilities

• 12.8: Contractually require all 3rd parties with access to cardholder data
to adhere to PCI requirements

• Many requirements throughout the PCI DSS include the need to

establish documented security standards and procedures
 Compensating Controls
If a requirement cannot be met for some reason,
compensating controls can be used, but they must:
1. Meet the intent and rigor of the original stated PCI
DSS requirement
2. Repel a compromise attempt with similar force
3. Be “above and beyond” other PCI DSS requirements
4. Be commensurate with the additional risk imposed
by not adhering to the PCI DSS requirement
 How to Get Started?
• Go to www.pcisecuritystandards.org and
download the following:

– PCI Data Security Standard

– PCI Security Audit Procedures
– PCI Self-Assessment Questionnaire
 Thank You!

Jeremy Simon, PCI QSA, CISSP, CISA

Please direct questions/comments to:

jsimon@halock.com
847-221-0200

www.halock.com