Published on February 6, 2014
PCI Compliance Overview How to Safely Accept Credit Cards
What is PCI? When you accept credit cards, you must also follow a set of guidelines for protecting credit card data • Payment Card Industry Data Security Standard (PCI-DSS) • Set of regulations developed and enforced by the major card brands. • Requires an annual Self Assessment Questionnaire (SAQ) as a way to evaluate the security in your office. • Depending on how you process credit cards, your SAQ might ask questions pertaining to how you store credit card data, who has access to your machine, or whether you process credit cards via a wireless connection. • The process helps identify potential security risks and protects both you and your clients from fraud.
Goals of PCI-DSS • Build and maintain a secure network • Protect cardholder data • Maintain a vulnerability management program • Implement strong access control measures • Regularly monitor and test networks • Maintain an information security policy
Just the Facts • More than 80% of attacks target small merchants • Criminals are turning their attention to smaller merchants with lax security • Most attacks can be prevented by simple methods • Following the PCI-DSS can help protect your law firm from fraud and/or costly fines
Who Must Comply? • Any merchant that processes, transmits, or stores credit card data • Every merchant is responsible for compliance even if using PCI Certified Service Providers • Every merchant must validate compliance every year
12 Requirements for Compliance • Build and Maintain a Secure Network • • • Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data • • • Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program • • • Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures • • Requirement 8: Assign a unique ID to each person with computer access • • Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks • • • Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain and Information Security Policy • Requirement 12: Maintain a policy that addresses information security
Requirement 4 -- Examples Encrypt transmission of cardholder data across open, public networks • Practical Application • Do not send unencrypted credit card data by email, chat programs, instant messaging, etc.
Case Studies – Requirement 4 • Emailing the full credit card number is one of the most common violations • Unencrypted faxes • Contractor emails 27,000 names and social security numbers to home email * • “Email, (especially if internal-to-internal) is often perceived as private and escapes the examination of information security teams…” ** * http://www.datalossdb.org/ ** http://www.verizonbusiness.com/resources/reports/rp_2010-payment-card-industry-compliance-report_en_xg.pdf
Requirement 7 -- Example Restrict access to cardholder data by business need to know • Practical Application • Only grant permission to select people in your office to run credit card transactions and have access to stored credit card data
Case Studies – Requirement 7 • “…The typical U.S. organization loses 7% of its annual revenues to fraudulent activity” * • Small organizations have a higher median loss • Establish internal controls
Requirement 9 -- Example Restrict physical access to cardholder data • Practical Application • Paper receipts with full credit card data must be kept under lock and key. A process is in place to securely transport data if necessary. All credit card data is securely destroyed when no longer needed.
Case Studies – Requirement 9 • Credit Union improperly disposed of credit card data and exposes 257 records. • Non-profit worker misplaces 212 files containing birthdates, social security numbers, addresses, and phone numbers.
Requirement 12 -- Example Maintain a policy that addresses information security • Practical Application • Develop comprehensive policies and procedures to address employee responsibilities, incident response plans, service provider monitoring, etc.
Case Studies – Requirement 12 • “…The overwhelming majority of data breaches (especially of cardholder data) come down to a failure to do what is planned.” * • PCI is not a date on a calendar. It is an ongoing event.
Becoming Compliant • You’re already on the right track • AffiniPay and LawPay’s PCI Central provides a simplified solution • Replaces the cumbersome and time consuming paper process • Guides you through the 12 requirements & SAQ • Online SAQ can be completed in 20-30 minutes • All online – PCI Central stores your information, generates an electronic certificate and knows all the rules, so you don’t have to
PCI Security. The PCI Security Standards Council touches the lives of hundreds of millions of people worldwide. A global organization, it maintains ...
New to PCI? Get the FAQs. Check out our FAQs page for answers to frequently asked questions. PCI FAQs Searching for the truth? Uncover the common
PCI SSC Data Security Standards Overview. The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance ...
Ever since the start of the PCI Data Security Standard, more and more organizations that store, process or transmit cardholder data are looking towards the
Adam (Slide 3 - PCI Compliance Overview): So, for PCI Compliance as a high overview perspective, it does stand for the Payment Card Industry Data Security ...
PCI DSS Overview 'PCI' stands for Payment Card Industry and 'DSS' stands for Data Security ... to do on-site assessments for PCI DSS compliance.
All parties to payment card processing — including merchant services providers, financial institutions, card issuers and businesses — have a ...
PCI-DSS Version 3.1 . PCI-DSS compliance places a lot of demands on already stretched IT resources. Under version 3.1 the demands are greater than ever as ...
The ControlScan PCI 1-2-3 Self-Assessment allows you to easily analyze and validate PCI compliance & guides your business through PCI DSS requirements.