{"id":213,"date":"2009-03-24T17:00:26","date_gmt":"2009-03-24T22:00:26","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=213"},"modified":"2009-04-08T15:03:18","modified_gmt":"2009-04-08T20:03:18","slug":"pci-compliance-convert-drudgery-into-a-powerful-security-framework","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/24\/pci-compliance-convert-drudgery-into-a-powerful-security-framework\/","title":{"rendered":"PCI Compliance &#8211; Convert Drudgery Into a Powerful Security Framework"},"content":{"rendered":"<p>For my last session of the day at TRISC 2009, I decided to attend Joseph Krull&#8217;s presentation on PCI Compliance.\u00a0 Joe works as a consultant for Accenture and has performed 60+ PCI engagements for various companies.\u00a0 If your organization does any processing of credit card information, my notes from that session below should be useful:<\/p>\n<ul>\n<li>As many as 65% of merchants are still not PCI compliant<\/li>\n<li>Fines can be just the beginning; service charges and market share price dilution for non-compliant merchants have already had substantial repercussions in the US and may soon reach other regions\u00b7<\/li>\n<li>Many retailers still don\u2019t have a clear view of compliance, and cannot effectively identify gaps<\/li>\n<li>The first steps to PCI compliance are a thorough internal assessment and gap analysis \u2013 many merchants skip these steps and launch multiple costly projects<\/li>\n<li>PCI provides a regulatory and compliance framework to help prevent credit card fraud for organizations that process card payments<\/li>\n<li>The framework is comprehensive and effective but adherence to the specific standards is often challenging \u2013 primarily due to the complexities involved in both program design and implementation<\/li>\n<li>Any merchant that accepts or processes credit cards must maintain compliance with the PCI DSS.\u00a0 Specific obligations vary based on transaction volumes.<\/li>\n<li>Focus right now is on the Level 4\u2019s.<\/li>\n<li> TJX subject to 20 years of mandatory computer systems audits after massive breach<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Challenges<\/strong><\/span><\/p>\n<ul>\n<li>Providing adequate and clear program management for all of the entire spectrum of PCI remediation activities (60-70% give to \u201cCompliance guy\u201d and typically fail.\u00a0 Should go to senior security guy)<\/li>\n<li>Accurately scoping requirements throughout the organization, including remote sites and international operations<\/li>\n<li>Evaluating and then implementing a wide variety of complex technologies \u2013 including encryption<\/li>\n<li>Redesigning or replacing internal applications and payment systems to adequately protect cardholder data<\/li>\n<li>Developing, implementing and enforcing new or revised policies and procedures across the entire organization<\/li>\n<li>Differing opinions with auditors regarding PCI compliance requirements, especially related to the concept of \u201cCompensating Controls\u201d<\/li>\n<li>Verifying PCI compliance for 3rd party partners that process data on behalf of the merchant<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Differences from PCI DSS 1.1 to 1.2<\/strong><\/span><\/p>\n<ul>\n<li>Active monitoring plans for all 3rd party PCI Service Providers (Requirement 12.8)<\/li>\n<li>Visits to offsite data storage locations at least annually<\/li>\n<li>Mandatory phase out of weak encryption for wireless networks<\/li>\n<li>Additional requirements for the use of \u201cCompensating Controls\u201d for specific PCI security requirements<\/li>\n<li>Assessor testing procedures changed from \u201cObserve the use of\u2026\u201d to \u201cVerify the use of\u201d<\/li>\n<li>Quality assurance program for PCI assessors<\/li>\n<li>Process restricts or eliminates assessors from performing PCI work due to poor quality assessments<\/li>\n<li>Assessors must now go beyond cursory observation of security controls and provide statistical samples<\/li>\n<li>Assessors now going much deeper to include verifying individual system settings, requesting and analyzing configuration files, studying data flows, \u2026<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>The Cost of Compliance and Non-Compliance<\/strong><\/span><\/p>\n<ul>\n<li>According to a comprehensive Forrester Research report on PCI compliance, companies spend between 2%-10% of their IT budget on PCI compliance<\/li>\n<li>Credit card companies are levying fines on non-compliant merchants\n<ul>\n<li>Up to $25,000 per month for each month of non-compliance for L1\u2019s ($5,000 for L4\u2019s)<\/li>\n<li>$10,000-$100,000 per month for prohibited storage of magnetic stripe data<\/li>\n<li>Up to $500,000 per incident if a confirmed compromise occurs<\/li>\n<li>Continued non-compliance may result in revocation of CC processing privileges<\/li>\n<\/ul>\n<\/li>\n<li>Banks and acquirers may increase processing fees for non-complinat merchants.\u00a0 In 2008, one retailer estimated an annual increase in operational costs of $18 million due to this increase in processing fees on VISA card transactions alone.<\/li>\n<li>Banks and acquirers can often pass on damages they incur to merchants<\/li>\n<li>Repeat or additional PCI assessments &amp; internal audits<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Corporate Compliance Framework<\/strong><\/span><\/p>\n<ul>\n<li>Although PCI provides compliance requirements in most areas, it\u2019s only a subset<\/li>\n<li>ISO 27002:2005 is what they used for PCI<\/li>\n<li>Good general requirements, but no explanation on how to do it<\/li>\n<li>PCI sets best practices<\/li>\n<li>For example, ISO 5.1.1 maps to PCI 12.1, 12.4, and 12.6.2<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>How to \u201cSell\u201d PCI Compliance to Senior Management<\/strong><\/span><\/p>\n<ul>\n<li>Gloom and Doom\n<ul>\n<li>Fines and sanctions will sink us<\/li>\n<li>Probability of success 40-50%<\/li>\n<\/ul>\n<\/li>\n<li>The PCI Umbrella\n<ul>\n<li>We need these 15 projects and ten new security products to be PCI compliant<\/li>\n<li>Probability of success 40-50%<\/li>\n<li>Who has done the gap assessment<\/li>\n<\/ul>\n<\/li>\n<li>The Long Term Approach\n<ul>\n<li>If we achieve PCI compliance we will also be well on our way to other requirements<\/li>\n<\/ul>\n<\/li>\n<li>PCI compliance is not a project or technology based solution \u2013 it is being able to demonstrate that an organization has the means in place to protect sensitive information<\/li>\n<li>Use as a building block to sell to senior management<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>For my last session of the day at TRISC 2009, I decided to attend Joseph Krull&#8217;s presentation on PCI Compliance.\u00a0 Joe works as a consultant for Accenture and has performed 60+ PCI engagements for various companies.\u00a0 If your organization does any processing of credit card information, my notes from that session below should be useful: [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[9,222],"tags":[237,236,618,622],"class_list":["post-213","post","type-post","status-publish","format-standard","hentry","category-pci","category-texas-regional-infrastructure-security-conference-2009","tag-compliance","tag-dss","tag-pci","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-3r","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=213"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/213\/revisions"}],"predecessor-version":[{"id":214,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/213\/revisions\/214"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}