Exois, Inc.

- White Paper Keys to PCI Success for Merchants

Keys to PCI Success

Contents
Item # 1 2 3 4 5 6 7 8 9 10 Description General Introduction to the Payment Card Industry and PCI DSS Selecting Your PCI-QSA PCI As a Business Methodology We Store Card Holder Data for What Reason? Scope Reduction In-house & Outsourcing Arent We Already PCI Compliant? Compliance Tools Risk Management / Risk Assessment - Are You a target? Financial Implications of a Data Breach Next Steps About ExoIS, Inc. References and Web Sites: Revision 2 - September 29th, 2010 Authors David J Coombes, PCI-QSA, Principal Security Consultant Contact Details: email Office Fax dcoombes@exois.com (408) 777 6958 (408) 716 8833 Page 3 7 9 13 15 17 18 19 22 23 26 27

Ruth Xovox, CISSP, CISA, CHFI, PCI-QSA, VP Compliance Advisory Services Contact Details: email rxovox@exois.com Office (408) 777 6956 Fax (408) 716 8833

Copyright ExoIS, 2010 Page 2 of 27

Keys to PCI Success

1. General Introduction to the Payment Card Industry and PCI DSS

Here are some of the thoughts, approaches and scenarios that we have seen during our dealings with various compliance programs and assessments. The Keys to PCI Success will help you to look at PCI Compliance from a different perspective and will assist you to utilize the requirements from a value add approach for your business rather than a we must comply to the standard, so what do we have to do? approach. Even if you have already had your assessment from your PCI Qualified Security Assessor - PCI QSA, here are some thoughts on how to incorporate the whole process into your everyday operations. You probably store, process or transmit cardholder data and are therefore involved in the Payment Card Industry (PCI), which means that at some point in time, you are going to become acquainted with the Payment Card Industry Data Security Standard PCI DSS. Either you have been told that you need to become PCI Compliant and you are wondering what it all means, or you are already in the process of deploying a PCI DSS program and are moving towards PCI Compliance For those of you who are looking at PCI DSS for the first time, here is an overview as to where it all came from and some of the implications for merchants that need to become compliant to the requirements. Although this white paper is not intended as a complete run down of the PCI DSS requirements, it should provide you with enough information to start asking some very focused questions within your organization. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard that came into being as a response from the major Credit Card Brands American Express, Discover, Visa, Mastercard and JCB to the increasing levels of data breaches involving Card Holder Data and associated credit card fraud. The standard has continued to evolve over recent years to provide additional clarification and to address the continuing sophistication of organized crime. Every entity that stores, processes or transmits cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard is overseen by the PCI Security Standards Council (PCI SCC) and focuses on information security policy, cardholder data security, access control, network security and monitoring, and organizational vulnerability management. Copies of the standard can be obtained through their website https://www.pcisecuritystandards.org/ Copyright ExoIS, 2010 Page 3 of 27

Keys to PCI Success

The PCI DSS requirements are backed up by a series of punitive sanctions for noncompliance which include fines from each of the card brands including suspension of your ability to process credit card transactions, reputational damage, costly forensic investigations and possible lawsuits from impacted customers and additionally, litigation relating to privacy laws from State and Federal prosecutors. Depending on the volume of credit card transactions that you handle and depending on the Payment Brands that you deal with will determine whether you are required to undergo an annual, on-site assessment by a PCI Qualified Security Assessor (PCI QSA) (always verify with your Acquirer with regards to your transaction volumes). Additionally, if you have suffered a data breach involving Card Holder Data, you will be elevated to a Level 1 Merchant and be required undergo an annual, on-site assessment. Should any of the Payment Brands consider you as a Level 1 Merchant, then you are automatically treated as such by all of the other Payment Brands. Heres the overview of the PCI DSS Requirements:
Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

So, how hard can this be? There are only 12 requirements! On the face of it, not so bad, but underneath the 12 requirements, there are over 200 sub requirements, which, depending on the scope of your credit card activities, may need extensive work to be complied with.

Copyright ExoIS, 2010 Page 4 of 27

Keys to PCI Success

Depending on the volume of transactions that you process on an annual basis from each of the Payment Brands will determine what Merchant Tier Level you are. If you are in doubt, verify with your Acquirer / Merchant Bank. Here is brief outline of the Merchant Levels.

What Merchant Tier / Level Are You?

Level
1

Visa
Over 6 million Visa transactions annually, OR global merchants identified as Level 1 by any Visa Region

MasterCard
Over 6 million Visa transactions combined MasterCard and Maestro annually, OR any merchant MasterCard deems to be Level 1 1 million to 6 million combined MasterCard and Maestro transactions annually 20,000 to 1 million MasterCard and Maestro ecommerce transactions annually All other MasterCard merchants

JCB
Over 1 million JCB International transactions annually

AMEX
Over 2.5 million AMEX transactions annually, OR any merchant AMEX deems to be Level 1

Discover
Over 6 million Visa transactions on the Discover network annually, OR any merchant Discover deems to be Level 1

1 million to 6 million Visa transactions annually

Less than 1 million JCB International transactions annually n/a

50,000 to 2.5 million AMEX transactions annually, OR any merchant AMEX deems to be Level 2 Less than 50,000 AMEX transactions annually

1 million to 6 million Visa transactions on the Discover network annually

20,000 to 1 million Visa ecommerce transactions annually

20,000 to 1 million card not present (ecommerce) on the Discover network annually All other Discover network merchants

Less than 20,000 Visa ecommerce transactions annually / up to 1 million visa transactions annually

n/a

n/a

Note:

Any merchant suffering from a Data Breach is automatically escalated to a Level 1 Merchant Status, which means annual on site PCI QSA assessments until further notice. Also: if you are deemed Level 1 from any Payment Brand you will be Level 1 across the board All Levels: Quarterly network scan by ASV except for Visa Level 4 & Amex Level 3 (recommended)

Exois, Inc 2010

Taken from our webinar entitled Breach of the Day Once your Merchant Level has been verified, you will be able to determine whether you will need an on-site assessment (Level 1), which will result in your PCI QSA completing a Report of Compliance (ROC) and you completing the Attestation of Compliance (AOC).

Copyright ExoIS, 2010 Page 5 of 27

Keys to PCI Success

For Merchants who are not classified as Level 1, there is a selection of AOCs which include a Self Assessment Questionnaire dependant upon how you process / transmit cardholder data. Here is the overview of SAQs 1 5 (SAQs A D) from the PCI SSC:

The above table can be found at https://www.pcisecuritystandards.org/saq/instructions_dss.shtml Whatever your Merchant Level, always review your options as to who you can talk to for advice and how much effort will be to achieve your specific PCI Compliance. Regardless as to your Merchant Level and which AOC is required, you will need to appoint a PCI QSA.

Copyright ExoIS, 2010 Page 6 of 27

Keys to PCI Success

2. Selecting Your PCI-QSA

Depending on where you are in your PCI project life cycle, you will at some point in time need to appoint a PCI QSA this in itself can be a challenge. Choosing your PCI Assessor (PCI QSA) needs to be given careful thought. There are a number of aspects to consider. The starting point would be to verify that they on the QSA List. To perform a formal (accepted by the Acquirers) PCI QSA assessment, the assessing company must be on the PCI QSA List and the individual assigned to the assessment must have successfully completed the 3 day PCI QSA training and passed the closed book exam. All PCI QSAs must be employed by a registered QSA company independent QSAs are not permitted to conduct formal assessments. The PCI QSA List is maintained by the PCI Security Standards Council - PCI SSC and can be found at - https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf Not all QSAs are created equal verify that they have the resources in place and can support your organizations scope. Will they supply references / testimonials for their work? How easy are they to work with? This is potentially going to be a long term relationship and a good QSA should be viewed as adding value to your organizations overall security programs. How are QSAs monitored / evaluated? Even QSAs can have audit issues - Are they in remediation? this means that they have fallen foul of the PCI SSC criteria for completing the Report on Compliance and that they are now required to resolve the issues highlighted by the PCI SSC to retain their PCI QSA status. Companies in remediation are highlighted in red on the QSA List. The following is taken from the PCI QSA List: * 'In Remediation' status indicates a determination by the Council, after Quality Assurance review, that a QSA organization has violated applicable QSA Validation Requirements. This status may result from failure to comply with any number of applicable QSA Validation Requirements. QSAs are notified when remediation is required, and QSAs listed as "In Remediation" may be actively seeking to remedy this status. For more about remediation please visit https://www.pcisecuritystandards.org/news_events/docs/0904_qsa_remediation_statement.pdf For information about the status of a particular QSA, please contact that QSA.

Copyright ExoIS, 2010 Page 7 of 27

Keys to PCI Success

Responsibilities of the QSA: The QSA will: Verify all technical information given by merchant or service provider Use independent judgment to confirm the standard has been met Provide support and guidance during the compliance process Be onsite for the validation of the assessment or duration as required Review the work product that supports the PCI Requirements and Security Assessment Procedures Ensure adherence to the PCI Security Assessment Procedures Define the scope of the assessment Select systems and system components where sampling is employed Evaluate compensating controls Produce the final report

Copyright ExoIS, 2010 Page 8 of 27

Keys to PCI Success

3. PCI As a Business Methodology

Looking at PCI-DSS as something more than a one time / annual event can seem like one of the current buzzword sayings, but in reality you are going to be involved with the PCI-DSS for as long as it exists or as long you are involved with credit card transactions or as one colloquial expression I heard many years ago As long as cats are wee furry beasties. Treating the PCI-DSS as an event that you have to do to keep your PCI Assessor happy has too many negative connotations and the whole process becomes one of fear of failing the annual assessment. It can also focus you on just doing enough to pass the assessment not good! Look to develop ways in which the elements of the PCI-DSS can be adopted into your standard operating procedures. This can start out with how you develop and deploy your Security Awareness Program and how you relate the importance of protecting your data to your employees, partners, contractors, vendors and service providers, etc. The Aberdeen Group reports that companies that are rated as best in class in PCI DSS compliance utilize the criteria in order to protect the organizations and its brand. These companies view PCI DSS not merely as an obligation but as an opportunity to develop processes and capabilities that improve their business performance in multiple areas; for example, a holistic view of risk management. For any organization that has gone through any type of an ISO audit (International Organization of Standards), such as ISO 27001 / ISO 9000 / ISO 14000, etc. you will have seen how this becomes an integrated part of your business. Also, hopefully, you will have seen many of the benefits associated with regular reviews and internal audits and how these can complement an ongoing program of continuous process improvement. We have seen many examples of these approaches deployed such that all compliance issues are fed into the combined processes that cover Root Cause Analysis, Closed Loop Corrective Action and Continuous Process Improvement. Successfully completing a PCI QSA assessment only covers your credit card data what about the security of the rest of your organizations data? Data outside of the PCI DSS scope can include:

Copyright ExoIS, 2010 Page 9 of 27

Keys to PCI Success

As with any business process, it is impossible to inspect in quality there is no guarantee that 100% inspection will result in zero defects in any product or service. The same goes for the PCI DSS and how you deploy and test your controls to meet the requirements. In some cases you will need to develop Compensating Controls for instances where, due to business reasons, you are unable to comply with a certain requirement of the PCI DSS. Heres the PCI SSC definition: Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must: 1) Meet the intent and rigor of the original stated PCI DSS requirement 2) Repel a compromise attempt with similar force 3) Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements) 4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

Copyright ExoIS, 2010 Page 10 of 27

Keys to PCI Success

As far as we can tell, a QSA has never caused a data breach although that seems to be lost on some organizations. Once the assessment has been completed, it is down to the organization to maintain their policies, procedures and controls and continue to manage the associated risks. Remember this with regards to the assessment this was a snapshot of your business processes, asset configuration (hardware and software) and personnel at a fixed point in time. Your business is dynamic, your asset configurations and personnel change throughout the year. Your business processes, security program and controls must also be dynamic to ensure ongoing compliance. All Data Breaches have the basic common thread in place one of the controls that should have been in place and running should have detected the attack / prevented the breach. At the time of the Data Breach, although an organization may have passed the assessment, something was not in compliance! This means that something has been changed within the organization assets, network configuration, data storage locations, access to the data, or, one of the key controls has not been run in accordance with the policy / procedure. Continuous Compliance As can be seen, one of the main challenges for any system is keeping it current. For compliance systems / programs this is no different. The term Continuous Compliance applies to all aspects of your PCI DSS infrastructure including technology and processes. These can include: Security Awareness Program Ongoing testing of your security policies and procedures Periodic network and wireless scans / vulnerability / penetration testing Training programs for employees Access controls logical and physical User IDs Network configurations (hardware and software) Security patches tracking and installing Coding guidelines (OWASP) Firewalls Passwords Anti virus / malware Intrusion detection Threat detection Logs Copyright ExoIS, 2010 Page 11 of 27

Keys to PCI Success

Verizon 2010 Report Overview of Breaches
Who? How?

Commonalities

Mitigation

ExoIS, Inc 2010

10

Excerpt from our Webinar PCI Threats, Controls and Risks Focusing on the bullets within the Mitigation box above would reduce your overall risk of a data breach these must be active parts of your overall business management strategy Scope reduction eliminating unnecessary stored data Controls focused on web application Monitoring privileged activities (super users, etc.) Understand your outbound traffic and filter appropriately Regularly review and mine event logs

Copyright ExoIS, 2010 Page 12 of 27

Keys to PCI Success

4. We Store Card Holder Data for What Reason?

Understanding your business environment is key to succeeding in preventing data breaches / losses. Discovery is one of the first activities that must be addressed and in general this is an activity that is not well understood / executed. Many companies that suffer data breaches learn of assets that were not recorded during the initial discovery phase of the project and consequently were not addressed during their PCI program. Do you / Why are you storing Card Holder Data? This simple question can help you to reduce your scope of assessment simply by reducing the amount of Card Holder Data that you store or by eliminating the need altogether. Card holder data is broken down into 2 categories with associated rules for storage criteria as specified in section 3.4 of the PCI DSS:

Copyright ExoIS, 2010 Page 13 of 27

Keys to PCI Success

If you have determined that there is a business need for storing the general data, then consider the following: What are your active / dormant assets? What data is stored? Where is the data stored? How is the data stored? Who has access to the stored data why do they need access (Role Based Access Controls - RBAC)? What assets / data are connected to what (access to open network ports / internet)? Who is accountable for the data? (Roles and Responsibilities) How is the data disposed of?

Deploying content discovery tools, such as those in Data Loss Prevention products, will provide continuous scans of the environment which facilitate detection of cardholder data located in unknown locations / assets. Defining and maintaining your configurations for hardware and software is essential, which will also lead you into change / configuration management controls, How does stuff get changed within your environment? Who reviews / authorizes the changes? How is this documented / verified / tested?

It is crucial to understand how you receive Card Holder Data and all associated data flows. This needs to encompass the entire business process, end to end. Additionally you must understand whether you have any public IP address that can connect to, or can indirectly connect to the cardholder data environment. Understanding this will address breaches that include assets that can connect to the data breaches often occur through these connections which could have been eliminated with better network documentation and then effective network segmentation. If you decide not to store card holder data then you need to find a hosting solution that can fulfill all of the applicable PCI DSS requirements. There are many data centers / hosting providers out there the challenges, once you have selected your supplier are centered on managing the supplier and ensuring that they continue to be PCI DSS compliant. Talk to your QSA about your options here.

Copyright ExoIS, 2010 Page 14 of 27

Keys to PCI Success

5.

Scope Reduction In-House & Outsourcing

Many organizations face a series of challenging decisions over how to reduce the scope of their PCI Assessment. Most European countries have deployed chip and pin, but that is unlikely to be adopted in the USA for some time to come if at all! Some of the technology options to deploy inhouse to reduce scope can include Tokenization and Encryption. Wherever state the data is in during the transaction / data flow, the data must be protected: In transit from one device to another At rest awaiting processing or storage In use coverage including authorizing a transaction Ever since their well publicized data breach, Heartland Payment systems have campaigned for End to End Encryption (e2e2). The first step would be to ensure that the data is encrypted at the source / as soon as data is gathered either from swiping or by manual data entry card not present, etc. The only time encryption is required by PCI DSS is during data transmission of card holder data over open networks, wireless or end user messaging technologies. When outsourcing, understand what your selection criteria will be for a service provider. One approach is to use service providers that are on the Visa Global List of PCI DSS Validated Service Providers which can be found at http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf Just ensure that you have the latest version of the list as Visa does update it on a regular basis. The scope of work that you have outsourced to your service provider needs to match the scope of their approval on the Visa website and you should follow standard practice for approving any vendors (due diligence / site visit / D&B, etc.) do not assume that because they are on the Visa list that they are qualified to meet your requirements. Visa has a disclaimer on their web site regarding the list make sure you understand what they are telling you. Where the scope does not match or where there have been known data breaches from that provider, it may be possible that the PCI QSA Assessor includes the vendor within the scope of the assessment.

Copyright ExoIS, 2010 Page 15 of 27

Keys to PCI Success

Regardless of whom you utilize as part of your outsourcing program you are still responsible for any data breaches that occur as a result of their short comings. This means that you must have a vendor management program in place that monitors your vendors performance and has the ability to highlight any associated risks. Key things to consider as part of your PCI Vendor Management: Cost should not be the primary selection criteria Is the solution scalable with your business plans? Does your vendor need to be PCI Compliant? If so, to what level? Are they on the Visa list? What metrics will you need to track to measure performance? How easy are they to do business with? What references can they provide?

Copyright ExoIS, 2010 Page 16 of 27

Keys to PCI Success

6.

Compliance Tools

Focusing on the cost of your Compliance Tools can be a misleading way of looking at the overall cost of your PCI Compliance program. Think back to the movie Apollo 13, where just before lift off a comment is made about how reassuring it was to know that the bidder with the lowest price was responsible for building the Saturn 5 rockets. Is that how you view vendors / service providers for your security program? Consider the risks that you want to mitigate with the tools / services that you are buying what is the risk of an escape / data leak? At ExoIS we have several Strategic Partners that can assist you with your PCI programs with items such as: Hosted services including Data storage for live and archived information Continuous Compliance Secure voice recording services for call centers Vulnerability / network / wireless scanning Governance, Risk, and Compliance (GRC) platform Content development for policies, standards and awareness training material Vendor and Supply Chain Management Forensic investigations

Exois Strategic Partners

Copyright ExoIS, 2010 Page 17 of 27

Keys to PCI Success

7.

Arent We Already PCI Compliant?

We have been processing credit cards for years so we must be OK is a comment that we have heard many times and this does not have any bearing on whether you are PCI Compliant. Regardless of the Merchant Level, many of the requirements of the PCI DSS have not been considered a business necessity and have not been mandated before. Believing that your existing IT infrastructure is automatically PCI Compliant, or can be adapted to become PCI Compliant can cause you major issues. How many times have you undertaken projects where it looked as though the cost effective approach would be to keep the existing items in place and build around / modify as needed? How many times have you got deeply into the project, only to finally decide to pull everything out and start again? Remember that home improvement job, the car restoration, the home computer system upgrade.? In many cases, be prepared for some fundamental changes within your IT / IS infrastructure, especially in the following areas: Data encryption Firewalls Network segregation Anti virus / malware Logical and physical access to data Data storage / backup / archiving Log monitoring / audit trails Network scanning

The need for additional understanding of vulnerability scanning, penetration testing and segmentation of the wireless environment and need for wireless scanning is crucial for PCI DSS success. Becoming PCI Compliant and maintaining your compliance continuous compliance can be a savior should you suffer a data breach. If a forensic investigation shows that your controls were in place and were compliant at the time of the breach you may be able to declare Safe Harbor, which if granted can dramatically reduce your financial liability in any subsequent litigation from the Payment Brands / State or Federal prosecutors.

Copyright ExoIS, 2010 Page 18 of 27

Keys to PCI Success

8.

Risk Management / Risk Assessment - Are You a Target

Understanding Risk and Compensating Controls allows you to focus on the critical aspects of your business however, you cannot eliminate a section of the PCI DSS on the grounds that you determined the risk to be minimal to your business. Take some time to understand that Identity Theft is the largest growing crime World Wide and then consider how you feel about your financial and personal information being leaked to malicious third parties. The financial burden on organizations to recover from a data breach can be high, but consider how the individual victim the general consumer, is impacted by data breaches. The average individual that suffers from Identity Theft can spend over 60 hours and over $1,500 to correct the issue. Once they have been hit, they are often a repeat victim and generally, unless the dollar amounts are over $10,000 most law enforcement agencies are not interested, so it is down to the victim to sort out the mess. Add to the complexity of resolving the problems that most law enforcement data bases act in isolation, so clearing up issues between credit reporting bureaus, DMV, SSN, etc. takes a huge amount of resource and is a tremendous distraction for an individual consider how that can impact yourself and your employees. Now, how would you want an organization to protect your data? Is that any different from your organizations view on data security? Are You a Target? Consider the data that you have within your organization; is it of any value to a third party (by third party we do of course mean any form of illegal use of the data Identity theft, Fraud, etc.)? For credit card fraud, all roads lead to cardholder data the primary account number (PAN) and sensitive authentication data printed on or stored in a magnetic stripe or chip on the credit or debit card so, How badly do they want it? How can they profit from it? How far would they go to obtain it? How difficult would it be for them to get it if they started trying today? What could you do to decrease the chances they will choose you or increase the work required to overcome your defenses? Copyright ExoIS, 2010 Page 19 of 27

Keys to PCI Success

Did you know that many data breaches can sit dormant in the victims systems for several months harvesting the data undetected? Once the data has been pulled and sold on the open market, it can typically take several more months before a fraud pattern is detected by law enforcement / credit card companies / financial institutions. Should the worst case occur? How would you detect a breach? How do you track who has access to your data, especially those with root access? How often do you review access logs is this automated or a manual process? How do you ensure that your log data (audit trails) cannot be altered?

According to the 2010 Data Breach Investigations report from Verizon, 86% of all victims of a data breach had evidence of the breach within their log files if only they had a systemic approach to reviewing that data. Within your industry sector, who has suffered a data breach in the past 12 months? Given the available information, what can you learn from the data breach? Did it involve a direct competitor? If so, is there a risk that your organization could suffer a similar breach, and if so what can you do to prevent it? Which areas of the PCI DSS were applicable to the data breach? Do you have similar applications / processes?

Copyright ExoIS, 2010 Page 20 of 27

Keys to PCI Success

Back to the Risk Management aspects of all of this. Key questions to ask as part of your risk assessment process (some of these have been addressed earlier and these are some of our top questions what are your top risk areas?). Some of these may be not applicable for your organization depending on what is actually in scope / what has been outsourced to approved service providers: 1. How do you define accountability within your information security program? 2. How current is your configuration management list for your hardware / software? 3. How valid is your network diagram? 4. How often do you test your firewall / router rule sets? 5. Who is responsible for ensuring that system default passwords have been changed? 6. What open network connections do you have? 7. What data is stored on mobile devices (laptops, etc) 8. How do you control access to your sensitive employee / cardholder data? 9. What security / encryption do you have on transmitted data? 10. Do you transmit cardholder or other sensitive data over wireless? 11. What security / encryption do you have on stored data? 12. What is in the cloud / how vulnerable is this data? 13. What does your Anti Virus software cover? 14. Have the Application Servers / Databases / Firewalls been reviewed? 15. How do you know that your security patches are up to date? 16. What verification activities covered OWASP? 17. How often do you review access rights? 18. Who reviews log data? 19. How do you know that your audit trails on log data cannot be altered? 20. How often do you run vulnerability / network / wireless scans? 21. What are considered the main areas of vulnerability for your data (failure modes)? 22. What would be the impact to your business of a data breach? 23. What would be the impact to your customers / employees of a data breach?

Copyright ExoIS, 2010 Page 21 of 27

Keys to PCI Success

9. Financial Implications of a Data Breach

The risks and costs of a data breach are often underestimated by most organizations. What techniques have you employed to assess the potential impact of a data breach within your organizations that are responsible for Card Holder Data and other sensitive data? Cost of lost data from the Ponemon Institute was reported at $204 per data item for 2009. Risk of suspension of ability to process credit card transactions until further notice what $ amount does your organization transact with payment cards on a monthly basis? Fines from the Credit Card Companies for a data breach can be as high as five hundred thousand dollars and this is excluding any litigation fees. Currently 45 States and many countries (including the European Union) have data breach notification laws on their statues and they can also file separate litigation for data breaches. Most organizations are not aware of the fact that if they suffer a data breach, their acquirer will elevate them to a Level 1 Merchant and require them to undergo an on-site PCI Assessment annually until further notice. As an example of litigation Heartland and TJ Maxx have incurred nearly $200 Million in fines from the credit card companies and various District Attorneys over the past year. Remediation for a data breach can take an extensive amount of forensic investigation and is subject to verification from the QSA once all remediation has been completed (usually 3 months after deployment) estimated costs for remediation run at around one hundred and fifty thousand dollars for a Level 1 Merchant.

Copyright ExoIS, 2010 Page 22 of 27

Keys to PCI Success

10. Next Steps

How you approach your PCI DSS project will depend on the size of your organization, the number of different environments that you are running, the volume of credit card transactions and amount of Card Holder Data that you store. Regardless of all that PCI DSS is still a huge undertaking, so attempting all of the 200 plus requirements in one sitting is like trying to eat the elephant. Here are some thoughts on setting milestones and breaking into bite size chunks mind you, some of these bites are gourmet meal sized! Before embarking on any compliance program, how will you communicate the programs goals and objectives to your employees? Even though it is #12 in the PCI DSS requirements, we always start with a Security Awareness Program as a kick off event this should address several issues: What is PCI-DSS? Why are we doing it? Where are we now with regards to complying? What will need to be done over what time period? What is happening in our industry sector? Who is our Chief Security Officer (or equivalent) What can each employee do to make our data more secure?

This should not be seen as a one time event the subject matter needs to be continuously updated to reflect you business as it evolves. All new employees should go through the training as part of their New Employee Induction process. Allocate owners to key elements / activities within your PCI program. Look for suggestions as to how to reduce your risk / exposure to threats by keeping up to date with current security events. Subscribe to relevant RSS feeds. Join a local PCI chapter or LinkedIn group. Here is our group for Silicon valley, CA you dont have to be in the geographic area to participate on line http://www.linkedin.com/groups?about=&gid=3533998&trk=anet_ug_grppro

Copyright ExoIS, 2010 Page 23 of 27

Keys to PCI Success

Eating the PCI Elephant
1. Remove sensitive authentication data and limit data retention
Discovery Phase (Current state / Future state / Legacy) If you dont need it, dont store it Network Diagram / Configuration Lists hardware & software

2. Protect the perimeter, internal, and wireless networks

Define and control the points of access Firewalls / Network segmentation / Restrict access Encryption / AV / Vulnerability scans / IDS

3. Secure payment card applications

Secure the web applications, application processes, and application servers. Security patches / OWASP / Firewalls

Define and control the who, what, when, and how, with regards to who is accessing your network / CHD environment Logical / Physical Access / RBAC / Passwords / Logs / Alerts

4. Monitor & control access to your systems

If you must store it, then define and deploy key protections mechanisms for the stored data Mask Pan / Hash / Truncate / Encrypt / CVV2 / PIN

5. Protect stored cardholder data 6. Finalize remaining compliance efforts, & ensure all controls are in place. 49

Everything else including your Security Awareness Program and all associated policies, procedures, and processes Config Management Secure audit trails / Wireless / Pen tests / FW & Router rule sets

Exois, Inc 2010

Excerpt from our Webinar PCI Threats, Controls and Risks What are your next steps? Apart from rushing out and getting your hands on a copy of the PCI DSS which you can download from here XXXXXX and diligently reading through the 200+ requirements, or you can delegate it to one of your trusted staff what are the alternatives? Get help. Give us a call and talk to one of our experts. Regardless of whether you are a Level 1 Merchant, or whether you qualify for one of the Self Assessment Questionnaire (SAQ) options, seek some guidance and discover some of the pitfalls that can snag you. This will also ensure that you have addressed the key questions regarding what you do with the card holder data and that you are using the correct questionnaire.

Copyright ExoIS, 2010 Page 24 of 27

Keys to PCI Success

Many organizations simply take a run at the SAQ and expect to sign of the AOC and declare themselves as PCI Compliant. Remember, you will need to appoint a QSA and they will review the SAQ / AOC. Many organizations that complete a Self Assessment Questionnaire (especially Level 3 / 4 Merchants that are brreached) are in fact, never really compliant and are often missing key elements of the PCI DSS at the time of their data breach. In the 2010 Verizon report http://www.verizonbusiness.com/resources/reports/rp_2010data-breach-report_en_xg.pdf, 79% of the organizations suffering data breaches were not compliant to the PCI DSS requirements. Remember back to Section 9, Financial Implications of a Data Breach, where we discussed the financial penalties for a data breach involving Card Holder Data? Do not become a news item for our Breach of the Day webinar and an industry statistic.

Copyright ExoIS, 2010 Page 25 of 27

Keys to PCI Success

About ExoIS, Inc.
Founded just before the new millennium in the heart of Silicon Valley, ExoIS provides Information Security, Compliance and IT advisory and support to businesses, helping our clients identify and mitigate the risks inherent in todays increasingly interconnected business environments. As a PCI Qualified Security Assessor, today our services include a wide range of PCI services and other security and compliance offerings, covering the full spectrum of our clients information security requirements. We also offer a range of managed services including secure cloud hosting, datacenter outsourcing, compliance SaaS solutions and storage services. The Greek exo, meaning outside and the IS standing for Information Security, Information Services and Infrastructure Services, the three core and complementary offerings that ExoIS is able to seamlessly provide. The ExoIS name was created to reflect the business model of the company and ExoIS adopted the new name in 2005. The ExoIS business model remains with an even stronger value proposition than ever. ExoIS continues to add partners and clients as the company provides an increasingly wide profile of services. Please feel free to get in touch and talk to one our experienced PCI QSAs about your specific challenges we would love to hear from you.

Copyright ExoIS, 2010 Page 26 of 27

Keys to PCI Success

References and Web Sites:
PCI DSS https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html PCI QSA List https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf Global List of PCI DSS Validated Service Providers http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf PCI Approved Scanning Vendors - ASV https://www.pcisecuritystandards.org/pdfs/asv_report.html 2010 DATA BREACH INVESTIGATIONS REPORT A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service. http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf Ponemon Institute - Five Countries: Cost of Data Breach http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2010%20Global%20CO DB.pdf ExoIS, Inc. PCI Compliance http://www.exois.com/pci-compliance/

Copyright ExoIS, 2010 Page 27 of 27