You are on page 1of 13

PCI-DSS Overview

Adam Goslin, Co-Founder High Bit Security April 26, 2011

About High Bit Security


High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance) High Bit will identify where your organization stands against the PCI-DSS standards (GAP analysis), provide remediation advice, coordinate with security assessors High Bit provides cost effective Penetration Testing for either internal or external testing against the network and/or application layers High Bits manual Penetration Testing is performed by security engineers that hold industry recognized certifications

PCI Compliance Overview


PCI-DSS = Payment Card Industry Data Security Standard
PCI DSS stands for the Payment Card Industry Data Security Standard, and is a compliance standard founded in 2004 as a result of the combination of 5 different security programs in operation at the time by Visa, MasterCard, Discover, JCB and American Express. The intent of this standard is to protect cardholder data (CHD) through an approach that covers every aspect of a technology based solution from policies through infrastructure and everything in between.

Implemented through core payment processors, and disseminated through the industry from there starting with largest organizations through smaller organizations.

PCI Compliance Who Is Impacted?


Common misconception: PCI only applies to the large ecommerce style companies PCI applies to EVERY organization that receives, stores, processes or transmits cardholder data, from the large ecommerce online retailers through the single pizza shop PCI breaks out compliance into Levels, which for simplicity well separate into two groups
Level 1 = 6 million + annual transactions Levels 2-4 = < 6 million annual transactions

PCI Compliance Levels of Compliance


The levels (1-4) are broken out by quantity of annual transactions Level 1 = 6 million + annual transactions
Annual Report on Compliance (ROC) must be filed by a Qualified Security Assessor (QSA) Quarterly network scans by an Approved Scan Vendor (ASV) Completion of an Attestation of Compliance (AOC)

Levels 2-4 = < 6 million annual transactions


Annual Self Assessment Questionnaire (SAQ) Quarterly network scans by an Approved Scan Vendor (ASV)
Level 4 - only if applicable

Completion of an Attestation of Compliance (AOC)


Level 4 - compliance validation requirements set by acquirer

PCI Compliance SAQs


SAQ A Card-not-present Merchants, All Cardholder Data Functions Outsourced SAQ B Merchants with Only Imprint Machines or Only Standalone, DialOut Terminals. No Electronic Cardholder Data Storage. SAQ C-VT Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage. SAQ C Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage. SAQ D All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ

PCI Compliance First Steps


Untold benefits leveraging assistance from resources that have been through PCI compliance before
Quickly gain understanding of where your organization stands against the PCI DSS standards Mitigate the amount of time (cost) required by internal IT resources Streamline the process of getting to solution discussions, whether internal resources, external software; hardware; services Guidance for mitigating the breadth of the cardholder data environment

PCI Compliance First Steps Continued


PCI Compliance contains over 260 different individual requirements ranging from HR hiring / firing policies and procedures to the lockdown of services on each individual machine in the Card Holder Environment (CHE) Planning for your move to PCI compliance is essential, whether leveraging physical or virtual infrastructure

PCI Compliance Infrastructure Factors


Costs of becoming PCI compliant are directly proportional to the breadth of your Card Holder Environment (CHE) In many cases, companies will opt to migrate from one platform to another when performing their PCI compliance for several reasons infrastructure age; need to segregate CHE from existing non CHE functionality; ability to keep present systems avail

PCI Compliance Physical vs Cloud


If your environment is very small, physical infrastructure may make the most sense If your environment is comprised of several devices, a cloud architecture (Private Cloud) becomes more appealing In both cases, they must meet all requirements of PCI-DSS Cloud architecture allows staging of mostly compliant VMs as a base With cloud architecture, special considerations for the hypervisor (virtual environment management)

PCI Compliance Impact Areas


PCI DSS Requirements
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software on all systems commonly affected by malware Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security

PCI Compliance Upcoming Webinars


Tuesday 5.03.11 @ 2pm - PCI Compliance: Detailed Requirements Walkthrough Tuesday 5.10.11 @ 2pm - PCI Compliance: Penetration Testing and Enhancing Security for Network and Applications

PCI Compliance Q&A

Free consultations for PCI DSS compliance Free consultations for Penetration Testing High Bit Security Cell: Email: Adam Goslin - Founder 248-388-4328 agoslin@HighBitSecurity.com