PCI is a Business Issue, Not an IT Issue

28 October 2009 No Comment

N.G.A./CSR PCI TOOLKIT

“No organization that has been completely compliant with PCI has been compromised”.
A. Bryan Sartin, Cybertrust
Chief, Forensic Investigator
May 2007

CSRSI EXPERIENCE

Engagements with multiple grocers
Not a single grocer examined was compliant with PCI DSS
Aware of dozens of security breaches within the industry
Significant misconceptions
Grocers are extremely vulnerable

Recent major Wall Street Journal Articles
“How Credit Card Data Went Out Wireless Door” WSJ; May 4, 2007 A1
“Retailers Whose Slips Show Too Much Attract Lawsuits” WSJ; April 28, 2007 B1
“Card Companies Crack Down on Restaurants Personal Data Protection” WSJ; March 24, 2007 A1

Articles by Ross Federgreen in Grocery Headquarters
“Electronic Payment Card Handling in the Grocery Store- An Observational Study of Risk”; in press 2007
“Security Alert”; May, 2007
“Critical Choices in eCommerce”; September, 2006
“Telltale Patterns of Change”; March, 2006

The PCI TOOLKIT is the first and only integrated system, which leads the merchant through all of the steps necessary to comply with the MANDATED Payment Card Industry Data Security Standard.

PCI DSS v 1.1 (September 2006)

PCI DSS v 1.1 is in line with the current best practice security recommendations of International Standards Code of Practice for Information Security Management (ISO 17799)

Federal Privacy and Security Data Legislation which corresponds with PCI DSS

HIPAA (Hospital Insurance Portability and Accountability Act) of 1996 TITLE II SECURITY
GRAHAM LEACH BLILEY ACT of 1999
SARBANES OXLEY ACT of 2002
FACTA (The Fair and Accurate Transaction Act) of 2003

HIPAA TITLE II SECURITY

Administered by the Office of Civil Rights (OCR)*, HHS *www.hhs.gov/ocr/privacy/enforcement/
Aggressive view to pharmacy operations in grocery operations.
153 referrals to the Center for Medicare and Medicaid Services (CMS) for potential violations of the HIPAA Privacy and Security Rules
393 referrals to the Department of Justice (DOJ) for criminal investigations with a significant number of convictions** Criminal sanctions are up to ten years in jail and a $250,000 fine per event.
LEAHY-SPECTER (S 495) PENDING “PERSONAL DATA PRIVACY and SECURITY ACT of 2007

Key Points

SAFE HARBOR for COMPLIANCE [Title III section 301 (d)]
Increased civil and criminal penalties for concealment of security breaches (Title I section 102)*
Definition of sensitive personally identifiable information “A unique account identifier, electronic identification number, user name,or routing code in combination with any associated security code, access code or password that is required for an individual to obtain money, goods, services or any other thing of value” [Section 3 (11) (a) (iv)] *Up to 5 years in prison and up to $500,000 per event

Business Case for PCI DSS Compliance

Mandated
Maintain positive image
Enhance consumer confidence
Improve bottom line
Reduce exposure to fraud losses

LEVEL 3*

Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year per MID**.

LEVEL 4*

Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year per MID**.

*Definitions July 18, 2006 PCI Security Standards Council
**MID Merchant Identification Number

LEVEL 3 AND 4 MERCHANT REQUIREMENTS

Annual PCI Self-Assessment Questionnaire
Quarterly Network Scan – MUST BE PERFORMED BY APPROVED SCANNING VENDOR (ASV)

COMPLIANCE DUE DATES

LEVEL 3 Merchants JUNE 30, 2005
LEVEL 4 MERCHANTS Acquirer*

*All major financial institutions require level 4 merchants to file the annual self assessment questionnaire and many require filing of quarterly penetration scans.
IF THERE IS A COMPROMISE ALL MERCHANTS ARE NOW SUBJECT TO NON-COMPLIANCE PENALITIES FOR FAILURE TO BE PCI COMPLIANT AT TIME OF COMPROMISE

Fines and Penalties

Restriction on processing
Permanent prohibition from processing
Financial fines
Violation of applicable federal and state laws
Fraud losses perpetrated using the account numbers compromised
(Ongoing financial as well as security and replacement cost)

FINANCIAL PENALTIES FOR NON-COMPLIANCE
$500,000 per incident – Compromise resulting in loss or theft of cardholder information and the merchant was found to be noncompliant at the time of the compromise.
$100,000 per incident – Failure to immediately (24 hours) notify credit card companies of suspected or confirmed loss or theft of transaction information.

FINANCIAL PENALTIES LEVIED
VISA fined Category 1 merchants 4.6 million dollars from January 1, 2006 to September 30, 2006*.
Visa fined Category 1 merchants 3.4 million dollars from January 1, 2005 to December 31, 2005*.
System fines expected in 2007 for all merchant categories is expected to exceed 25 million dollars.
*VISA CISP BULLETIN December 12, 2006

ALL MERCHANTS SUBJECT TO NON-COMPLIANCE PENALTIES FOR FAILURE TO BE PCI COMPLIANT IF COMPROMISED!

Do not depend upon your software vendor to provide you with the compliance that you must have.
StoreNext®, (May 2007) “With a “PCI Isolated” POS and Connected Payments, no card data remains in the store, removing the store from all requirements with the exception of the audit questionnaire.”

N.G.A./CSR PCI TOOLKIT

The PCI TOOLKIT enables level II, III and IV merchants to comply with all the requirements of PCI DSS.
The PCI TOOLKIT provide the merchant a fully integrated step-by-step solution
The PCI TOOLKIT is fully supported by the experience and resources of CSRSI.

The PCI TOOLKIT consists of everything you need:

Customized Written Policies
Customized Written Procedures
Customized Written Employee Handouts
Training Aids
Detailed Assistance with the Self Assessment Questionnaire
Quarterly Penetration Scanning
Industry Specific Information
Detailed Glossary
Breach Insurance upon completion

CSRSI GUARANTEES SUCCESS:

If you successfully complete each of the elements of the PCI TOOLKIT and you are unable to become PCI compliant CSRSI will provide you with a 100% refund.

CSRSI PROTECTS YOU:

Once you successfully complete each of the elements of the PCI TOOLKIT you are added to a master policy held by CSRSI and underwritten by Great American Insurance Group in the amount of $25,000 with a zero dollar deductible to protect you against the costs associated with a data breach!

The policy is a specific Compromised Data Expense Reimbursement Contractual Liability Insurance Policy*

*Please see the insurance policy declaration page for details.

SELF ASSESSMENT QUESTIONAIRE (SAQ)

The SAQ consists of 75 questions all of which must be answered yes to pass.
To answer the SAQ written policies, procedures, employee training aids and handouts are required.
The SAQ must be filed with your merchant bank.
Answering the SAQ in a false or uninformed manner will lead to civil and potential criminal penalty including the loss of credit card acceptance
The SAQ remains on file as long as you process

Each of the 75 SAQ questions are fully explained to assist you

EXAMPLE OF SAQ QUESTION with EXPLANATION:

Requirement 7: Restrict access to data by business need-to-know.

7.1 Is access to the payment account numbers restricted for users on a need-to-know basis?

ANSWER CHECKLIST:

Access to cardholder data must be restricted on a job driven need to know basis.
Access must be restricted to the least privileges necessary to perform job function.
The access control system must be set to deny all access unless specific permission is granted.
A policy must be in place to address the issue of access to payment account numbers and information. (SEE POLICY)

Written Policies that are required by the SAQ include:

SECURITY STANDARD POLICY
AUDIT LOG POLICY
SOFTWARE APPLICATION DEVELOPMENT POLICY
PASSWORD POLICY
INFORMATION SECURITY POLICY
INFORMATION SECURITY TRAINING PROGRAM POLICY
SECURITY INCIDENT RESPONSE POLICY

PASSWORD POLICY EXAMPLE
VII. Password Policy

1. Purpose
1.1. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Ubetchalife, Inc’s entire corporate network.

1.2. The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

2. Scope and Responsibility
2.1. This policy is applicable to any computer system or environment that records or stores Credit Card Primary Account Numbers (PAN’s).

2.2. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any betchalife, Inc facility, that has access to the Ubetchalife, Inc network, and stores any PAN Data.

2.3. Managers responsible for Human Resources and Information Technology are required to implement this policy via Procedure VII, ‘Password Procedure and Guideline.’

3. Policy
3.1. General

3.1.1. All system-level passwords shall be changed on at least a quarterly basis.

3.1.2. All production system level passwords shall be recorded in a password management database or log.

3.1.3. All user-level passwords shall be changed at least every six months. The recommended change interval is every four months.

3.1.4. User accounts that have system level privileges granted through group memberships or programs shall have a unique password from all other accounts held by that user.

3.1.5. Passwords shall not be inserted into email messages or other forms of electronic communication.

3.1.6. Use of vendor supplied or standard default login passwords shall be changed on new Network or Internet accounts that can access PAN data.

3.1.7. All user-level and system-level passwords shall conform to the Password Procedure and Guideline.

3.1.8. Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment.

4. References and Cites
4.1. Payment Card Industry Data Security Standard v1.1 Self Assessment Questionnaire Requirements; Section 8, ‘Assign a unique ID to each person with computer access.’

5. Records
5.1. Ubetchalife, Inc. Procedure VII Password Procedure and Guideline, Appendix A.

6. Definitions
6.1. Application Administration Account – Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator).

6.2. Strong Password – Passwords that are at least 8 Characters long and use a combination of letters and numbers or special characters eg. *^%#. An example of a strong password is: I81@joe_s.

6.3. Primary Account Number (PAN) – A primary account number is the number that is embossed on a credit card.

6.4. Production System Level Password – A password that can access administrative functions and data on a computer system that is used in the normal course of business by many users. Sometimes called an Administrative Password.