The document discusses the Payment Card Industry Data Security Standard (PCI-DSS) compliance. It defines PCI-DSS, explains why businesses should be compliant, outlines penalties for non-compliance and data breaches, provides steps to achieve compliance, and how Rackspace can help with compliance through managed security services. Rackspace itself has achieved PCI-DSS compliance certification for physical security and network infrastructure.
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Demystifying Pci Dss
1. 1
Demystifying Payment Card Industry
Data Security Standard
Compliance
Francis Ofungwu
Manager of Security Strategy, Rackspace
Rackspace Partner Network
www.rackspace.co.uk
2. 2
Agenda
• What is PCI-DSS?
• Why Should My Business or Clients Be PCI-DSS Compliant?
• Penalties For Non-Compliance
• Penalties For Security Breaches
• Key Steps Towards PCI-DSS Compliance
• How Rackspace Can Help
• Rackspace’s PCI-DSS Position
• Questions
Rackspace Partner Network
www.rackspace.co.uk
3. 3
What is PCI-DSS?
Rackspace Partner Network
www.rackspace.co.uk
4. 4
What is PCI-DSS?
According to the PCI Security Standards Council:
PCI-DSS is a set of comprehensive requirements for
enhancing payment account data security.
• The standard was developed by the PCI Security Standards Council, including
American Express, Discover Financial Services, JCB International, MasterCard
Worldwide and Visa.
• The primary aim of the council was to help facilitate the broad adoption of
consistent data security measures on a global basis.
• “PCI DSS should now be considered Business As Usual for any merchant
accepting cards.” (HSBC PCI-DSS Merchant Guide-January 2008)
Rackspace Partner Network
www.rackspace.co.uk
5. 5
Why Should My Business
Be PCI-DSS Compliant?
Rackspace Partner Network
www.rackspace.co.uk
6. 6
Why Should my Business or Clients be PCI-DSS
Compliant?
If your business stores, processes, or transmits Cardholder data,
there is a requirement to be PCI-DSS compliant.
This also includes service providers that provide services for
merchants who process, store, or transmit Cardholder data.
Non-compliance to PCI-DSS could lead to:
• Loss of reputation
• Increased costs for accepting credit card transactions
• Substantial fines associated with security breaches and non-
compliance
• Revocation of a merchant’s ability to accept credit card
payments.
Rackspace Partner Network
www.rackspace.co.uk
7. 7
Penalties for Non-Compliance
Rackspace Partner Network
www.rackspace.co.uk
8. 8
Penalties for Non-Compliance
Penalties for non-compliance will depend on the card scheme.
Examples of non-compliance penalties are as follows:
Event Penalty (Euro)
Non-compliance after 30 days of notification 5,000 per incident of non-compliance
letter
Non-compliance after 90 days of notification 10,000 per incident of non-compliance
letter
Non-compliance after 120 days of notification 25,000 per incident of non-compliance
letter
Rackspace Partner Network
www.rackspace.co.uk
9. 9
Penalties For Security Breaches
Rackspace Partner Network
www.rackspace.co.uk
10. 10
PENALTIES FOR SECURITY BREACHES
When there is a breach, the card scheme will require an independent forensic
investigation.
As with the penalties for non-compliance, penalties levied for security breaches will
depend on the card schemes. For Example,
Number of compromised Penalty
accounts
0 – 19,999 25,000
20,000 – 99,999 100,000
100,000-199,999 200,000
200,000-299,999 300,000
300,000-399,999 400,000
400,000-499,999 500,000
>500,000 750,000
Rackspace Partner Network
www.rackspace.co.uk
12. 12
Key Steps Towards PCI-DSS Compliance
• Contact your merchant bank
• Conduct a scoping exercise
• Review business processes
• Utilise the information on the PCI-SSC Website
https://www.pcisecuritystandards.org/
• Engage a QSA (Qualified Security Assessor)
• Engage an ASV (Approved Scanning Vendor)
• Don’t rest on your laurels
Rackspace Partner Network
www.rackspace.co.uk
13. 13
How Rackspace Can Help
Rackspace Partner Network
www.rackspace.co.uk
14. 14
How Rackspace can help
The Rackspace PCI-DSS Toolbox:
Rackspace’s PCI Toolbox solution: Hardware, Software, and Services
• Managed Cisco Firewalls
• VPN System Management Access (included with all firewalls)
• Sophos/Symantec Anti-virus protection
• SSL Certificates
• Alert Logic Intrusion Detection Services (IDS)
• PCI ASV Network Scanning Service (included with IDS)
• Physical System Security (included with standard support)
• Patch Management Services (included with standard support)
Rackspace Partner Network
www.rackspace.co.uk
15. 15
How Rackspace can help
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to
protect cardholder data
• Fully Managed Cisco Firewalls
• VPN System Management Access
• Network Segmentation.
Requirement 2: Do not use vendor-supplied defaults for systems
passwords and other security requirements.
Rackspace implements industry best practices in network device deployments to
ensure system hardening specifications required by the standard are met.
Rackspace Partner Network
www.rackspace.co.uk
16. 16
How Rackspace can help
Maintain a Vulnerability Management
Program
Requirement 5: Use and regularly update anti-virus software.
Rackspace provides a Managed Anti-Virus solution that provides proactive protection
against viruses, worms, Trojans, spyware and other malware.
Requirement 6: Develop and maintain secure systems and
applications.
Rackspace provides a reliable, and flexible Managed Patching services to help
maintain secure systems.
Rackspace Partner Network
www.rackspace.co.uk
17. 17
How Rackspace can help
Implement Strong Access Control Measures
Requirement 9: Restrict physical access to cardholder data
Rackspace physical security controls are based on the best practices set out in the
ISO/IEC 27002:2005 Information Security Standard. These controls include:
• Data centre access limited to Rackspace data centre technicians
• Biometric scanning for controlled data center access
• Security camera monitoring at all data centre locations
• 24x7 onsite staff provide additional protection against unauthorised entry
• Unmarked facilities to help maintain low profile
Rackspace Partner Network
www.rackspace.co.uk
18. 18
How Rackspace can help
Regularly Monitor and Test Networks
Requirement 11: Regularly test security systems and processes
Rackspace offers an Intrusion Detection System (IDS) service that meets a number
of sub-requirements set out in requirement 11 of the standard, including the
requirement for PCI-SSC approved internal and external vulnerability scanning.
Rackspace Partner Network
www.rackspace.co.uk
19. 19
Rackspace’s PCI-DSS Position
Rackspace Partner Network
www.rackspace.co.uk
20. 20
Rackspace’s PCI-DSS Position
On June 30, 2009, Visa USA accredited Rackspace Hosting as a Compliant
Level 1 Payment Card Industry (PCI) Service Provider. The scope of
Rackspace’s 2009 PCI Service Provider accreditation covers the following:
-Physical Security for:
- UK & US Data centres
- U.S & U.K Offices
- Network Infrastructure (Routers & Switches)
- Rackspace employee access to Network Devices
Rackspace Partner Network
www.rackspace.co.uk
22. 22
Summary
•If you store, process, or transmit cardholder data then you have a
requirement to be PCI-DSS compliant.
•There are penalties associated with non-compliance and data
security breaches.
•Rackspace can help you and your clients drive PCI-DSS
compliance through the PCI-DSS Toolbox.
•Review the information publically available on the PCI-SSC
website. https://www.pcisecuritystandards.org/
Rackspace Partner Network
www.rackspace.co.uk