4/19/2019

Payment Card (PCI) Compliance

April 24, 2019

To Receive CPE

› Individuals • Participate in entire webinar • Answer polls when they are provided › Groups • Group leader is the person who registered & logged on to the webinar • Answer polls when they are provided • Complete group attendance form • Group leader sign bottom of form • Submit group attendance form to [email protected] within 24 hours of webinar › If all eligibility requirements are met, each participant will be emailed their CPE certificate within 15 business days of webinar

1 4/19/2019

Presenter

Cindy Boyle, CPA, CIA®, CITP, CISA® Partner [email protected]

Credit Cards Are the Most Frequently Available Item on the Dark Web

› Credit cards account for most instances of identity theft › With the rollout of the EMV chip, application fraud is expected to increase in the U.S. › Most fraud for credit cards are called card-not-present (CNP) › Internationally, CNP fraud rose by 7%, resulting in $242.1 million in losses › Interestingly enough, credit cards go for $1 each on the dark web

Sources: FICO, https://www.fico.com/enterprisefraud/ Fortune, http://fortune.com/2017/02/01/credit-card-chips-fraud/ Australian Payments Network, 2018 https://www.auspaynet.com.au/

2 4/19/2019

What Is PCI Compliance?

› Many years ago, the brands elected to have a standard for assessing the protection of cardholder data (CHD) › Implemented the Payment Card Industry Data Standard (PCI DSS) › If an accepts card payment, & stores, processes or transmits cardholder data, they need to be PCI DSS compliant › PCI DSS is a set of rules, not a law, that is enforced by the payment brands & governed by the PCI Security Council

What Is the Security Standards Council?

› PCI standards are required by the card brands & administered by the Payment Card Industry Security Standards Council › Created to increase controls around cardholder data to reduce credit card fraud › Qualifies companies & individuals to be PCI assessors, known as Qualified Security Assessors (QSA)

Software Manufacturers Merchants & Developers PCI PTS Providers PCI PA-DSS Pin Entry PCI DSS Payment Devices Secure Environment Applications P2PE

3 4/19/2019

PCI DSS

› PCI DSS defines technical & operational requirements for • accepting or processing card payment transactions; & • Software developers & manufacturers of applications & devices used in those transactions › QSAs are trained to conduct PCI DSS assessments • Code of conduct that sets standards to include avoiding a conflict of interest • Requires initial training & certification exam • Annual training & recertification exam • Must maintain working papers for assessments for three years

How Do You Take Credit Card Payments?

› Organizations (called merchants in the PCI world) typically have more than one way to take a payment › Known as a payment channel • In person • Payment devices (POS POI) • order • Online • Phone TELEPHONE ORDERS

4 4/19/2019

Two Types of Assessments

ROC SAQ

• Report on compliance (ROC) ROC SAQ • Self-assessment questionnaire (SAQ) • Must be performed by an independent organization • Intended to assist merchants & service providers in self-evaluating • Led by a QSA The organization’s (acquirer) or card brands their PCI DSS compliance • Level 1 merchants & service will determine type of assessment • May engage a QSA to assist or providers perform • Acquiring may elect • Eight different types of SAQs other levels to do a ROC • All levels except Level 1

Attestation of Compliance

PCI Levels – Merchants in General

Level Annual Transactions Validation Actions Validated By

1 6 to 20 million • Annual on-site security • Independent assessor audit (ROC) (QSA) or IA with PCI **&** training • Quarterly network scan • Scans conducted by ASV

2 1 to 6 million • Annual self-assessment questionnaire (SAQ) 3 20,000 to 1 million **&** • Merchant (Self- • Quarterly network scan assessment) • Scans conducted by 4 20,000 or less network ASV scan recommended

5 4/19/2019

Service Providers

› A service provider is a business that is not a payment brand & is directly involved in the processing, storage or transmission of cardholder data › Performs these duties on behalf of another entity › Includes companies that provide services to merchants, other service providers or other entities that control or could impact the security of cardholder data › Examples include • Data centers • Transaction processors • Managed service providers (MSP) • Payment gateways • Vendors that provide POS maintenance

PCI Levels – Service Providers in General

Level Validation Actions Validated By 1 • Annual on-site security audit • Independent assessor (QSA) or IA Payment gateways & with PCI training processors **&** • Quarterly network scan • Scans conducted by ASV

2 (storage/transmission/ • Annual SAQ • Self-assessment process above 1 million transactions) **&** • Scans conducted by ASV 3 • Quarterly network scan (storage/transmission/ process below 1 million transactions)

6 4/19/2019

PCI SAQ Types

Type of SAQ depends on the type of merchant environment & confirmed by acquirer A: card not present merchants (e-commerce or mail/telephone order) A-EP: e-commerce merchants who outsourced payment processing to third parties B: merchants using a) imprint machines or b) standalone dial-out terminals B-IP: standalone, PTS-approved payment terminals C-VT: manually enter a single transaction at a time virtual payment (not e-commerce) C: payment applications connected to the , no electronic CHD storage P2PE: hardware payment terminals managed by P2PE solution (not e-commerce) D: all merchants not included in the above

PCI DSS Requirements

Goals PCI DSS Requirement 1. Install & maintain a firewall configuration to protect cardholder data Build & maintain a secure network 2. Do not use vendor-supplied defaults for system passwords & other security parameters 3. Protect stored cardholder data Protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use & regularly update anti-virus software or programs Maintain a vulnerability program 6. Develop & maintain secure systems & applications 7. Restrict access to cardholder data by business need to know Implement strong access control measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track & monitor all access to network resources & cardholder data Regularly monitor & test networks 11. Regularly test security systems & processes Maintain information security policy 12. Maintain a policy that addresses information security for all personnel

7 4/19/2019

Requirement 1: Install & Maintain Firewall Configuration to Protect Cardholder Data

› Firewalls are required to protect the CDE › Restrict traffic from “untrusted” networks & hosts › Prohibit direct public access from internet to CDE › Although network segmentation is a good idea, it is not required

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords & Other Security Parameters

› Network devices come with default passwords › Remove/change these defaults for better security › Configuration standards are part of this requirement • NIST • ISO Default Password • SANS • CIT

8 4/19/2019

Requirement 3: Protect Stored Cardholder Data

› Implement a data retention & disposal processes › Do not store the whole PAN • OK to display first six & last four digits of a card › Encryption for additional protection › Consider additional security measures, such as tokenization

Tokenization

› The process of replacing a credit card number (PAN) with a unique set of numbers that have no bearing on the original data › Creates specific characters that only during the transaction › Reduces risk of credit card data theft or misuse

9 4/19/2019

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks › Use strong encryption where CHD is transmitted over public networks › Includes wireless networks › Never send unprotected PANs by end user messaging • Don’t email CC# • Don’t send over IM

Requirement 5: Use & Regularly Update Anti-Virus Software or Programs

› Use anti-virus software on systems › Maintain & actively run current anti-virus definitions › Prevent the ability to disable anti-virus › Generate & review activity logs

10 4/19/2019

Requirement 6: Develop & Maintain Secure Systems & Applications

› Keep system patches current • Critical patches deployed within 30 days of release › Risk ranking to vulnerabilities › Change control processes & procedures › Secure coding guidelines

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

› Limit access only to those whose job requires › Documented approval for access › Access control systems in place • Deny all unless specifically allowed • Only those with a business need

11 4/19/2019

Requirement 8: Identify & Authenticate Access to System Components › Unique IDs required & proper authentication › Strong password parameters › Multifactor authentication • Two or more authentication methods › Something you know (password), › Have (token) or › Are (biometric) › Do not use group, shared or generic IDs

Requirement 9: Restrict Physical Access to Cardholder Data

› Limit & monitor physical access to systems in the CDE › Procedures to distinguish between on-site personnel & visitors › Visitors are authorized & a log maintained › Backups are secure › Media is classified & safeguarded › Destroy media when no longer in use › Training for identifying tampered devices

12 4/19/2019

Device Tampering: Skimming

› A skimming device is a camouflaged counterfeit card reader to record the card’s information › It will still allow the cardholder to perform their transaction › Used at ATM machines, stores, & taxis › Can sometimes be a hand-held skimmer small enough to fit into a pocket

Requirement 10: Track & Monitor All Access to Network Resources & Cardholder Data › Audit trail for users who have access to CHD › of invalid attempts › Restricted access to logs › Prevent log tampering › Time synchronization • Critical systems time synchronized • Unable to tamper with time data › Retain audit history for at least one year

13 4/19/2019

Requirement 11: Regularly Test Security Systems & Processes

› Identify wireless access points › Run internal & external network vulnerability scans quarterly › Internal & external penetration testing annually (or twice a year for service providers) › Intrusion detection & prevention in place

Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel › Establish, publish & maintain security policies for PCI › Daily operational security procedures › Usage policies for in the CDE › Assign personnel with security responsibilities › Security awareness program › Employee screening prior to hiring › Policies for service providers with CDE access › Incident response plan in place

14 4/19/2019

Appendices

› Appendix A1: additional PCI DSS Requirements for Shared Hosting Providers • Protecting each entity’s hosted environment & data • Restrict the entity’s access only to their environment › Appendix A2: additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections › Appendix A3: Designated Entities Supplemental Validation (DESV) • Only entities designated by payment brand or acquirer • Additional valuation steps as required

Compensating Controls › In the event that an organization does not meet a PCI control, the assessor can determine if compensating controls are in place › Compensating controls worksheet is listed in the ROC template 1. Constraints 2. Objectives 3. Identified Risk 4. Definition of Compensating Controls 5. Validation of Compensating Controls 6. Maintenance › Must address risk & be stronger than the control it is replacing › Management must approve compensating controls every year

15 4/19/2019

Why Is PCI DSS Compliance Important?

› Hackers & large international organized crime target merchants & their payment channels › High fees for noncompliance with PCI DSS • At the discretion of the payment brands • $5,000 to $10,000 per month › The fallouts of a card data breach • The resulting costs can be significant • Breach could result in an average cost of $200 per card number lost • Long-term reputational effects to an organization

Lack of PCI Compliance Can Cost

› Lost confidence & customers go to other merchants › Diminished › Cost of reissuing new payment cards › Fines › Fraud losses › Higher subsequent costs of compliance › Termination of the ability to accept credit cards › Going out of business

16 4/19/2019

Benefits of PCI Compliance

› The security of cardholder data affects everyone › Increases security of cardholder data › Customer confidence › Better protection for clients › Universal principles › Avoidance of fines › Reduces the cost of a breach

Summary

› PCI compliance is a requirement, but not a law, from the card brands for any organization that stores, processes or transmits payment card data › Card brands set the standards & has the right to invoke penalties for organizations that fail PCI compliance › PCI Security Standards Council is the governing board who trains & qualifies assessors (QSAs) › Organizations with over six million card transactions annually must have a report on compliance (ROC) by an independent QSA company › Other organizations are able to do a self-assessment questionnaire (SAQ) › There are 12 requirements to PCI, which have a number of questions/controls each › Cost of noncompliance is significant

17 4/19/2019

Continuing Professional Credit

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its : www.nasbaregistry.org

18 4/19/2019

CPE Credit

› CPE credit may be awarded upon verification of participant attendance › For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]

bkd.com | @BKDLLP

Cindy Boyle | [email protected] @BKDCyber

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered.

19