PCI 31 Boot Camp Payment Card Industry Data Security Standards 31 Purpose Why am I here PCI 31 Boot Camp March 2016 2 Agenda PCI Importance SAQ Review Mitigation Plan for SSLearly TLS EMV vs P2PE ID: 766166
Download Presentation The PPT/PDF document "PCI 3.1 Boot Camp Payment Card Industry" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1
Purpose Why am I here? PCI 3.1 Boot Camp - March 2016 2
Agenda PCI Importance SAQ Review Mitigation Plan for SSL/early TLS EMV vs P2PE PCI 3.1 Boot Camp - March 2016 3
PCI Compliance Reset Self Assessment Questionnaire Start early Completed accurately Cash Management-central POCUse Technical Contacts and Vendors Use HUIT Sec/NOC/SOC/Desktop Support Answer N/A or No with compensating controls Keep supporting documentation on file PCI 3.1 Boot Camp - March 2016 4
PCI Compliance Reset External Vulnerability Scans are important Internal Vulnerability Scans or Application Scans must be done, if required Network Diagrams of CDE are to be submitted to Cash Management PCI 3.1 Boot Camp - March 2016 5
PCI Compliance Reset Documented local Business Policies Document current business processes Updated/reviewed annually Comply with latest PCI standardsAnnual PCI Awareness Training for all staff PCI 3.1 Boot Camp - March 2016 6
PCI Compliance Reset Vendor Service Agreements Document which PCI DSS requirements are managed by each service provider, and which are managed by merchant. PCI 3.1 Boot Camp - March 2016 7
SAQ Review When to use SAQ A vs SAQ A-EP All processing of cardholder data is entirely outsourced to PCI DSS validated 3rd-party Service Provider = SAQ AAll processing of cardholder data, with the exception of the payment page , is entirely outsourced to a PCI DSS validated 3 rd -party payment processor = SAQ A-EP PCI 3.1 Boot Camp - March 2016 8
SAQ Review When to use SAQ A vs SAQ A-EP All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated 3rd-party servicer provider = SAQ A Each element of the payment page delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider = SAQ A-EP PCI 3.1 Boot Camp - March 2016 9
Examples of SAQ A Merchant Merchant has no access to their website, and website is entirely hosted and managed by compliant 3 rd -party payment processor OR Merchant website provides an iFrame or URL link to PCI DSS compliant 3 rd -party payment processor. PCI 3.1 Boot Camp - March 2016 10
Examples of SAQ A-EP Merchant Merchant website creates the payment form, and Direct Post (SOAP) to payment processor Merchant website loads or delivers script that runs in consumers’ browser ( eg . JavaScript) and provides functionality that supports creation PCI 3.1 Boot Camp - March 2016 11
PCI 3.1 Boot Camp - March 2016 12
SSL/Early TLS Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure Requirement 2.3 Encrypt all non-console administrative access using strong cryptography. Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. PCI 3.1 Boot Camp - March 2016 13
Mitigating SSL and early TLS Risk-mitigation controls Consolidate functions that use vulnerable protocols over few systems Remove/disable web browsers, JavaScript and cookies where they are not needed Configure firewalls to permit SSL/early TLS only to know IP addresses Expand cover of intrusion-protection systems Identify unusual increases in requests for fallback to vulnerable protocols PCI 3.1 Boot Camp - March 2016 14
EMV and P2PE Card Present Merchants Point of Sale Systems PCI validated hardware/software vendor Certified to BAMS PCI 3.1 Boot Camp - March 2016 15
Benefits Removes CHD from merchant environment Reduces PCI Compliance Scope Abbreviated SAQ (SAQ C to SAQ P2PE) Reduces chargebacks for non-compliance to EMV implementation PCI 3.1 Boot Camp - March 2016 16
Validating EMV and P2PE Clear POS database of all card data regardless of encryption format Vendor Implementation Guide should be on file at Cash Management Test VLAN between merchant and vendor Validate CDE does not enter merchant environment PCI 3.1 Boot Camp - March 2016 17
More information PCI 3.1 Boot Camp - March 2016 18
Training Opportunities PCI Security Standards Council Internal Security Assessor 2 Day Training in Boston June 29-30$1650 Fee (Reduced from $2850) Applicable to Internal Auditors, Internal Risk and Assessment Staff PCI 3.1 Boot Camp - March 2016 19
Resources otm.finance.harvard.edu https://www.pcisecuritystandards.org/merchants/index.php SAQs https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs Harvard Support/Questions pci_compliance@harvard.edu Trustwave QSA – Cash Management will arrange teleconference PCI 3.1 Boot Camp - March 2016 20