The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
Apidays New York 2024 - The value of a flexible API Management solution for O...
Pci dss-for-it-providers
1. PCI DSS for IT Providers
The rules and impact on MSPs
and VARs
For PCI DSS Version 3.0
2. #webclinic
What is PCI DSS?
• Payment Card Industry Data
Security Standard
• Enforced by PCI Security
Standard Council
• Council formed by the five
major card brands shown
3. #webclinic
What’s the goal?
• Cardholder data:
– Primary account number
– Cardholder name
– Expiration date
– Service code
• Sensitive authentication data:
– Full track data (from magnetic strip)
– CAV2 / CVC2 / CVV2 / CID
– PIN blocks
• Protect cardholder data and sensitive auth. data
4. #webclinic
What does it cover?
• All components of the “cardholder data environment”
• Includes all people, processes, and
technology that handle cardholder
data
• Examples:
– Payment card readers, POS systems, PCs
– Firewalls, routers, switches, servers
– Purchased and custom applications
5. #webclinic
The Threat is Real
• Top motivation of cyber
threats: money
• POS malware is
proliferating
• Retailers large and small
are being breached
Source: 2014 Verizon Data Breach Investigation Report
6. #webclinic
Who has to comply?
• Merchants
• Processors
• Financial institutions
• Service providers
• Anyone who stores, processes, or transmits
cardholder data
7. #webclinic
What about MSPs and
VARs?
• Must comply internally if you accept payment cards
• Must conform services to comply for clients
• Our Recommendation: Find a compliance expert
8. #webclinic
Clients need your expertise
Offer new products and
services for compliance
Security is more than
“compliance”, so offer
enhanced protection
PCI DSS = Opportunity for
IT Providers
9. #webclinic
• Failure to comply could cost you:
Customer confidence
Sales and revenue
Reputation, brand damage
Malpractice lawsuits
Fines and penalties
Cost of reissuing cards
PCI DSS = Potential trap
for IT Providers
10. #webclinic
Penalties for
Noncompliance
• Card brands can issue fines of
$5,000 to $100,000 per month
• Higher transaction fees
• Many small victims go out of
business
– Cost of breach can include containment,
forensic investigation, legal fees, audits,
card replacement
11. #webclinic
What are the rules?
• Build and Maintain a Secure Network and Systems
– 1. Install and maintain a firewall configuration to protect cardholder data
– 2. Do not use vendor-supplied defaults for system passwords and other
security parameters
• Protect Cardholder Data
– 3. Protect stored cardholder data
– 4. Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
– 5. Protect all systems against malware and regularly update anti-virus
software or programs
– 6. Develop and maintain secure systems and applications
12. #webclinic
What are the rules?
• Implement Strong Access Control Measures
– 7. Restrict access to cardholder data by business need to know
– 8. Identify and authenticate access to system components
– 9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
– 10. Track and monitor all access to network resources and cardholder
data
– 11. Regularly test security systems and processes
• Maintain an Information Security Policy
– 12. Maintain a policy that addresses information security for all personnel
13. #webclinic
How do I comply?
• Ask your merchant acquirer to walk
you though the steps
• Small merchants typically must :
1. Complete a self assessment
questionnaire (SAQ)
2. Sign attestation of compliance
3. Send required documents to the
merchant acquirer
14. #webclinic
How do I comply?
• Required documents include:
1. Vulnerability scan results
2. Security policy
3. Network diagram
15. #webclinic
Vulnerability scans
• External scan of network
• Required by PCI DSS
• Results based on settings and
condition of firewall
• Performed by merchant acquirer or
approved vendor
– Examples: SecurityMetrics; Trustwave
16. #webclinic
About Calyptix
Calyptix makes network security easy for small
and medium networks. Our all-in-one solution,
AccessEnforcer, delivers advanced protection in
a simple platform.
Learn more: Calyptix.com
info@calyptix.com
704-971-8989
17. #webclinic
Calyptix Resources
• PCI DSS for IT Providers: 4 steps for compliance
– http://www.calyptix.com/pci-dss-it-providers-4-steps-for-compliance/
• PCI DSS and AccessEnforcer
– http://www.calyptix.com/pci-dss-accessenforcer/
• PCI DSS: Easier and cheaper compliance with SAQs
– http://www.calyptix.com/2014/07/pci-dss-make-compliance-easier-and-
cheaper/
18. #webclinic
Additional Resources
• Requirements and Security Assessment Procedures:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
• Report on Compliance Reporting Template
– https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_ROC_Reporting_Te
mplate.pdf
• Attestation of Validation
– https://www.pcisecuritystandards.org/documents/PA-
DSS_Attestation_of_Validation_v3_0.docx
• Glossary of Terms, Abbreviations, and Acronyms:
– https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
19. #webclinic
Additional Resources
• Understanding the SAQs for PCI DSS v3.0
https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf
• Self-Assessment Questionnaires
– A – https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx
– B – https://www.pcisecuritystandards.org/documents/SAQ_B_v3.docx
– C – https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx
– D (Merchant) https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.docx
– D (Service Provider)
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.docx