PCI Compliance Awareness Program For Marine Corps Community Services Contacts: PaulWatson Overview

• WhatisPCI? • MCCSCompliance • PCIDSSTechnicalRequirements • MCCSInformationSecurityPolicies • MCCSCommonPCIFindings • MakingaDifferenceatMCCS • GlossaryofTerms WhatisPCI?

•PCIstandsforPaymentCard

•PCIisanumbrellatermusedforacomprehensivesecurityprogramtoprotectcard informationfromaccidentaldisclosure

– PCISSC– PCISecurityStandardsCouncil

– PCIDSS– PCIDataSecurityStandard

•Providesprotectionsforallparticipantsinacreditcardtransaction; – Cardholder(Marines,Marinefamilymembers,etc.) – Merchant(Exchanges,SevenDayStores,GolfProShop,Clubs,etc.) – /Acquirers(ofAmerica) – ServicesProviders(Examples?) – CardBrands(Visa,MasterCard,AmericanExpress,Discover,JCB) PCIDataSecurityStandard

• Represents: • MerchantandCardindustryrequireddatasecuritypractices • CommonAcceptanceandparticipationbymultiplecardbrands(5TODAY) • EstablishesaSingleSecurityAuditingProcedures(SAP) • BestWayToProtectCreditCardInformationForAllMCCSActivities.

• BestSourcesofReference: • forPCIDataSecurityStandardsandRequirements • (URL:www.pcisecuritystandards.org)

• forBusinessUnderstandingofMerchantComplianceRequirements • (URL:www.visa.com/cisp ) EvolutionofPCIandCardBrandSecurity • Since2001,CardBrandsSecurityPrograms&Enforcement: – VisaCISP largelyonsiteauditdriven – MasterCardSDP– primarilyscan,questionnaires – AmericanExpressDSOP nothing – DiscoverDISC nothing – JCBandDiners– nothing(alsooriginalparticipantsinPCI) • PCIDataSecurityStandardstartedin2004 • PCIDataSecurityStandardv1.1– September2006 – Commonstandardofbestpracticesfromindividualcardbrandsecurityprograms. – Retainindividualcardbrandenforcementprograms – MaintainedbythePCISecurityStandardsCouncil • PCIDataSecurityStandardv1.2– October2008 WhyPCIComplianceMatters

1. DemonstratestheMCCS’ commitmentto protectingourcustomersconfidentialdata. 2. Indicatesstrongercontrols&processesto assessITriskandpreventdatacompromise. 3. Helpstoavoidsubstantialfinesandpenalties fromcardindustry. 4. Demonstratescomplianceforkeycustomers whodemandadherencetothePCIDSS. 5. ProvidesbetterprotectionforMarinesand Marinefamilymembers.

Source: Visa – July 2006 PaymentCardIndustryOverview

and/or

is a member of is a member of Acquirer (BofA/Chase ) Issuer

may or may not be the same as

Processes transaction for Merchant issues cards to (MCCS Activities) Cardholder Providers uses to purchase (Marine) or services from PCIDataSecurityStandardAppliestoWho?

• Anyonewho“Stores,ProcessesorTransmits” cardholderdata MustcomplywiththePCIDSS • Including: – Members(Banks&Acquirers– BankofAmerica,ChasePaymentech) – Merchants(MCCS– Exchanges,SevenDayStores,Clubs,etc.) – ServiceProviders(Examples?)

– NetworkComponents(Modems,WirelessRouters,Firewalls,etc.) – Servers(Instorecontroller/systems) – Applications(PointofSale(POS)Software– Triversity,HSI,EPOS,etc.)

thatconnecttocardholderdataenvironments. WhatdoesPCIprotect?

• Thecardholder’sidentityandconfidentialdata,including:

• Magneticstripe(track1andtrack2data) • CardVerificationValues(CVC,CVV2– 3or4digitcodesprinted onbackorfrontofcard) • PaymentAccountNumbers(PAN) • PersonalIdentificationNumbers(PIN) • Passwords • Cardexpirationdates Add picture to • Personaldata identify PAN cv – Name codes, stripe? – Address – Email CardCompromiseshaveaRippleEffect

Visa / MC

Paymentech Families, Partners, Vendors s act mp ct I Dire Marines MCCS Data Breach Indirect MCCS Partners Impacts Competitors Potential Legislation Why?What’satrisk?

• Databreachescanleadtosignificantadverseconsequences • ForMarineCorpsCommunityServices: • Unwantedmediaattention– i.e.DSW,TJX,Hannafords • Lostrevenueand/orfinancialdamages • LosttimeanddistractionstoMarinesandtheirfamilies • Litigation • SubstantialVISAandMasterCardpenalties • Forthecardholder: • Identitytheft • Unauthorizedchargestotheircreditordebitcardaccount • Damagetotheirpersonalcreditrating • Financiallosses CostofaDataBreach

Studies estimate the 2007 Cost of a Data Breach at: • $197* per compromised record. • an average total per-incident cost of - $6.3 million*

What does this mean to MCCS? • A single MCCS command can conduct up to 650,000 transactions per year or more. • Card breaches often take 12 - 18 months to be identified • All cards used during that period could be compromised or at risk. • Total cost to MCCS for a breach at a single base can potentially be up to $128 Million. (650,000 X $197)

Fines per Incident: • VISA – Up to $500,000 • MC – Often $25 per card = up to $16,250,000

* Source: Ponemon Institute's 2007 Cost of a Data Breach Report NonComplianceFinesandEnforcement • Complianceisenforced byMCCS’ banksandfinesstart fromtheCardBrands(Visa/MC) • i.e.Thesecurityprogramhasteeth!

• VISACISPComplianceFines&Penalties (Onebrand example) – Finestheresponsiblebank • Typically$5,000$25,000permonthpermerchant – Bankpassesfinesontomerchant(MCCS) – Bankimposesrestrictionsonmerchant(MCCS) MCCSGoal Utopia:SafeHarbor

• Safeharborprovidesmerchantsprotectionfrom finesintheeventthattheyoroneoftheirservice providersexperiencesadatacompromise. • ToattainsafeharborstatusMCCSmust: • ValidatecompliancewithathirdpartyQSAannually • MaintainfullPCIcomplianceatalltimes • Demonstratethatpriortoacompromise,allPCI compliancevalidationrequirementswerefullymet. MCCSCompliance– Visa&MC MCCS is VISA and MasterCard Requirements a Level One • LevelOne (>6milsinglecardbrand merchant transactions/yr): – Includesalltypesofpaymentcard transactions(debit,credit,phone,etc.)  AnnualonsitePCIdatasecurity assessment(SAP/ROC)  Quarterlynetworkvulnerabilityscans • PCIDSS • TechnicalRequirements PCIDataSecurityStandard(DSS)

6 Control Objectives

The Digital Dozen

12 PCI DSS requirements

226 Detailed security focused sub-requirements PCIDSSControlObjectives

1. Buildandmaintainasecurenetwork 2. Protectcardholderdata 3. Maintainavulnerabilitymanagement program 4. Implementstrongaccesscontrolmeasures 5. Monitorandtestnetworksregularly 6. Maintainaninformationsecuritypolicy ThePCIDSSDigitalDozen 1. Install&MaintainaSecureFirewallConfiguration 2. MaintainSystemConfigurationStandards 3. ProtectStoredCardholderData 4. EncryptTransmissionofCardholderDataAcrossOpen,PublicNetworks 5. UseandRegularlyUpdateAntivirusSoftwareorPrograms 6. Develop&MaintainSecureSystems&Applications 7. RestrictAccesstoCardholderDataByBusinessNeedtoKnow 8. AssignUniqueIDsandImplementStrongPasswordControls 9. RestrictPhysicalAccesstoCardholderData 10. TrackandMonitorAllAccesstoNetworkResourcesandCardholder Data 11. RegularlyTestSecuritySystems&Processes 12. MaintainanInformationSecurityPolicy 226SubRequirements

• DetailedinthePCIDataSecurityStandard – https://www.pcisecuritystandards.org/security_standards/pci_dss_dow nload.html Requirement 8: Assign a unique ID to each person with computer access.

8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: • Password • Token devices (for example, SecureID, certificates, or public key) • Biometrics . 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects . 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users WhattoDoifYouSuspectaCompromise

• Identification 1. Isasecuredareafoundunlockedandconfidentialinformationmissing? 2. HaveyounoticednewunidentifiableequipmentinthePOSarea? 3. Dosecuritylogsalertyoutosuspiciousactivities?

• Reporting 1. Immediatelyinformyourmanagerofthecompromise.Ifunavailable,informthe InformationSecurityManagerorITPointofContactforyourCommand. 2. DetermineifthereisanongoingthreattocustomeraccountinformationorMCCS networkdata.NotifytheIT\NetworkManagerimmediately. MCCS– CommonPCIFindings • CompiledfromonsitePCIassessments performedat12bases • Mostcommonnontechnicalfindings: – Managementofvisitors;badged,authorized,escorted – Securityofpapercreditcardreceiptsandreports – Passwordsecurity – Maintaininglogs – Keepinglockableitemslocked ChallengeVisitors

• PEDs arenowbeingattacked

• Attackers are becoming more sophisticated and bold with their attacks. • Employees need to be vigilant of visitors; wearing proper badges; properly authorized to be working in area. • Do not be afraid to question them.

Vigilance can prevent attacks such as these. KioskFalseFront&HiddenCamera

Camera hidden inside pamphlet holder next to ATM at the of Texas campus Unauthorized personnel install these False front (Skimmer) place over the face of the ATM in Texas. devices.

Source: http://www.utexas.edu/police/alerts/atm_scam/ VisitorLogging

• Logsserveapurpose: • Requirevisitorlogsforallareasstoringor processingcardholderdata • Enforcethesigningoflogsbyallvisitors • Retainlogsforatleastayear PaperReceiptSecurityand Retention

• Paperreceiptsshouldbestored: – Inroomsorclosetswithsecuredlocks – Incontainersmarked • “FOUO” (ForOfficialUseOnly) • withstorageandretentiondates • Containerscontentsshouldbe: – Inventoried – Periodicallyreviewedagainstinventory lists RecordsWarehousing

Records Warehousing Best Practices

The ultimate in records security

27 PasswordSecurity

• Passwordsshouldbesecureandprotected: • Minimumof7characters • Alpha,numeric,andspecialcharacters– U$mC@1S#1 • Donotusecommonnamesorwordsthatcanbe foundinthedictionary • Donotwritedownorkeeppasswordsinapublic placewheretheymaybediscovered(Insert pictureofpostitnoteonamonitor) PhysicalSecurity • Cleardesk– Donotleavepapersorreports containingcardholderdataondesktopsorareas accessiblebycustomers. • Lockalldoors,cabinetsordrawssecuring receiptsorotherpapersholdingcarddata. • Don’tleavepasswordsonpostitsorviewableat desks. • Donotpromoteorallow“tailgating.” • Ensurecustomerreceiptsandcardholderdata arenotaccessiblebythosethatarenot authorized. MakingaDifferenceatMCCS

• Ifyouacceptacustomer’screditcardforpayment,herearesomewaysyoucan helptomeetPCIDSScompliance:

1. Protectyourcustomer’scardholderdataatalltimes. 2. Don’twritedownorsharecustomeraccountinformation. 3. Don’taskacustomerfortheirCVCorCVV2whenthecustomerispresentto authenticatetheirowncard. 4. IfyourdepartmentusesAVS,doaskacustomertoconfirmtheirzipcodeand address. 5. Besuretoprotectmerchantreceiptcopiesthathavecustomerpaymentcard accountnumbersonthem. MakingaDifferenceatMCCS

• Ifyouinanofficethatprocessespaymentcardtransactions,herearesomewaysyou canhelptomeetPCIDSScompliance:

1. Don’tsharecarddataoverthephoneorwiththosewhoarenotauthorizedtohavesuch information. 2. Ifyouworkinanareathatrequiresuseofpaymentcarddata,donottakecarddatahome orleaveitonyourdeskunattendedorovernight.(CleanDeskPolicy) 3. Usecomputersforacceptablebusinesspurposesonly.Donotload personalmusic,files,or applicationsoraccessyourpersonalemail.(AcceptableUsePolicy) 4. Besuretochangeyourpasswordsregularly. 5. Learnhowtoconstructastrongcomputerpassword. 6. Donotshareyourpasswordswithothers,evenyourmanagerorMCCSITpersonnel. 7. Don’tleavecomputersonandunattended.Logoutand/oruselockedscreensavers. 8. Maintainasegregationofdutiesbetweendevelopment,testing\QA,andproduction. 9. Beawareofdataretentionrequirementsforpaymentcardreceiptsandrelated transactions. 10. ReadyourMCCSInformationSecurityPolicyandattendyourannualsecurityawareness training. MakingaDifference IT

• IfyouworkinMCCSITareas,herearesomewaysyoucanhelpto meetPCIDSScompliance:

1. Neverstoremagneticstripe,CVC2orPINdataafterauthorization. 2. PaymentcardPrimaryAccountNumbers(calledPAN)shouldalwaysbestoredencryptedusingstrong encryptionalgorithmssuchas3DESandAES. 3. FullPANs shouldbemaskedwhendisplayed. 4. Paymentcardholderdatashouldalwaysbeencryptedduringtransmissionoverpublicnetworks,i.e. wirelessorthe. 5. Accesstodatabaseswherepaymentcardandothersensitivedataresidesshouldberestrictedtothose withabusinessneedtoknow. 6. Ensuretheuseofantivirussoftwareincludingautomaticupdatesandperiodicscans. 7. DonotshareyouruserIDsorpasswords. 8. Don’tuseadministratoraccountstoperformregularusertasks. 9. Ensurethatallnonconsoleadministrativeaccessisencrypted.UsesuchasSSH,VPN,or SSL/TLSforwebbasedmanagementandothernonconsoleadministrativeaccess. 10. Restrictphysicalaccesstopaymentcarddataorsystemsstoring carddata. 11. Protectandmanagebackupmedia.Storemediasecurely,logremovalofmedia,transfersecurely,and destroysecurelyaccordingtotheMCCSdataretentionpolicy. 12. Attendannualsecurityawarenesstraining. MakingaDifference– HRandTraining

• IfyouworkinMCCSHRareas,herearesomewaysyoucanhelpto meetPCIDSS compliance: 1. Ensurethatnewemployeesareproperlyscreenedandbackgroundchecksare performedappropriatetotheirjobresponsibilities. 2. Informemployeesandmanagersoftheirobligationtoreadandunderstand InformationSecurityPolicies. 3. EnsurethatnewemployeesareinformedofMCCSAcceptableUsePoliciesforIT equipmentandcustomerinformation. 4. EnsurethatnewemployeesattendITtrainingincludinghowtochangetheir passwordsandhowtouseandprotectcustomerdata. 5. EnsurethatmanagersprovidenewemployeeswithITsystemsaccessappropriate totheirjobresponsibilities.(businessneedtoknow) 6. InformITinatimelymanneraboutemployeeterminationssotheiruserIDs, networkandsystemsaccessprivilegesmayberemoved. 7. Executeperiodicsecurityawarenesscommunicationprogramssuchasemails, notices,posters,etc. MakeaDifference– Finance\Purchasing

• IfyouworkinMCCSFinanceorPurchasing,herearesomewaysyoucanhelpmeetPCIDSS compliance:

1. Storereceipts,statementsandanyotherfinancialdatacontainingcardholderinformationin alockedfiledrawer,safeorotherdesignatedsecurearea. 2. IfpaymentcardPrimaryAccountNumber(calledPAN)isdownloadedfrombanksorcard brand,datashouldalwaysbestoredencrypted.ThisappliestoExcelspreadsheets, WordandPDFdocuments. 3. RestrictaccesstoPANs toonlythoseindividualsintheaccountingandfinancedepartments withabusinessneedtoknow. 4. Storageandinventoryoftransactionandcardreceiptsshouldbe minimizedtoonlythat whichisrequiredforbusinesspurposes.(i.e.18months) 5. Storageareascontainingpaymentcarddatamustbemonitoredwithvideocamerasanda cardaccesssystemthatprovidesanaudittrailofeachindividualentry. 6. Maintainaccurateandcompletelogsofallarchivedorstoreddataincludingaccounting boxeswithcarddataandreceiptsstoredsecurelyoffsite. 7. Donotsharepasswords. 8. Neversendcardaccountnumbersviaemailorinanyotherunsecuredmanner. 9. Attendannualsecurityawarenesstraining. MakingaDifference Facilities • IfyouworkinMCCSFacilities,herearesomewaysyoucanhelptomeetPCIDSS compliance:

1. Maintainphysicallocksandaccesscontrolsonstorageareas– thesearekeyto protectingcardholderinformation. 2. Cardholderreceiptsandotheraccountingdatathathasfullpaymentcard PrimaryAccountNumbers(calledPAN)shouldonlybeaccessibleonlytothose withauthorizedaccess. 3. Reconsidersharedaccessbyotherdepartments. 4. Avoidopenwindowsandaccesspointsthatcouldleadtotheftof data. 5. Operateandmaintainvideosurveillanceequipmentforsecuredataareas. 6. Maintainavisitorlogthatindicatesaccountabilityforwhoaccessesareaswhere sensitiveinformationisstored,transmittedorprocessed. 7. Retainvideorecordingsforatleast90daysandvisitorlogsforatleastoneyear intheeventofadatacompromise. 8. Attendannualsecurityawarenesstraining. MakingaDifference– Legal,Purchasing,and InternalOperations

• IfyouworkatMCCSinPurchasing,Legal,MarketingorInternalOperations, herearesomewaysyoucanhelptomeetPCIDSScompliance: 1. MakesureMCCScontractualagreementsforthirdpartiesthatstore, transmitand/orprocessMCCScardholderdatahaveappropriatePCIand securitylanguageasidentifiedinReq 12.8. 2. Practicevendorduediligenceandmanagement. 3. AskyourvendorshowtheycomplywiththePCIDSS. 4. Developsecuremechanismsforsharingcarddata.(AskMCCSIT) 5. ReviewongoingPCIcompliancerequirementsforallthirdparties. 6. DevelopcontractpracticestoensureMCCSvendorsmaintainongoing PCIcompliance,howtheyinformyouandwhathappensiftheydon’t meetthoserequirements. 7. Attendannualsecurityawarenesstraining. WheretoGetMoreInformation

1. VisaCardholderInformationSecurity (www.visa.com/cisp) 2. PCISecurityStandardsCouncilwebsite (www.pcisecuritystandards.org) Print Name & Date Command/Office

Signature & Employee ID # Supervisor Signature