Sign Kansas Banking Permission Slip Computer

Industry sign banking kansas permission slip computer

[Music] good morning and thank you for participating in today's webinar payment card industry compliance my name is Paul Horton a senior manager and B Katie's Pittsburgh office bkt is pleased to co-sponsor along with the Western PA chapter of HMA the February 2019 winter Wednesday webinar series our presenter today is bkt director Rex Johnson Rex is a director at BK T in cybersecurity he has over 25 years of IT business and leadership experience his expertise includes cybersecurity data privacy IT governance project management enterprise risk internal and external audit regulatory compliance and control assurance he has led teams to address security risks and develop long-term sustainable solutions Rex is a retired US Army lieutenant colonel and previously served as adjunct faculty at the University of Maryland and the Defense Information school for the US Department of Defense Rex is a graduate of the University of Kansas with a BA degree in journalism and an MBA he is a certified information systems security professional certified information systems auditor and certified information privacy technologist project management professional and payment card industry qualified security assessor and with that again thank you for participating in today's webinar as well as it's February 2019 winter Wednesday webinar series before we get started we'd like to find a little bit more about our audience so there's no right or wrong answers here we will give you a few seconds to submit your answer identifying which HFM a chapter you belong if you are not an HSA member that's okay you can hit the other button feel free to enter your location and the question box if you feel like sharing it that way as well it looks like that some people from PA but the majority of the folks are from across the country thank you for your responses at this time I'd like to turn over the webinar to Rex well thanks a lot and everybody I appreciate you taking time out of your morning to join one of the things that's interesting about credit cards is they've become the most popular instance of identity theft sacks Lord & Taylor last year I had 5 million cards stolen Home Depot had a huge breach in 2014 and we all know about the target breach in 2013 so as we take a look at these I didn't eat theft especially credit card theft is continuing to happen so there was a need to put some security parameters in place now many of you probably do have a credit card with an EMV chip that actually stands for European MasterCard and Visa it was started over in Europe as a more secure means to take credit card payment this was to help reduce the risk of people making their own cards and going to the store and making purchases so even though that's rolled out we see a rise in the types of thefts for what's called a card not present in other words they don't have to have your card to make a purchase when you buy something on Amazon or in a number of places you may purchase something on the web that's considered a card not present transactions because you're not actually swiping the card you're entering the number into the website to make your purchase where a card president is where you go to a store or a restaurant and you actually present your card and take it through a pin and chip reader or you actually use it in some sort of process to for your payment so because of that internationally we see card-not-present fraud rise by 7 percent that's resulted in over 242 million dollars in losses so even though there's a lot of money that's being made form identity theft what's interesting is that credit cards are only sold for about a dollar a piece on the dark web so you're seeing them sold in bulk in that case and they need to sell a number of these in order to make a profit and typically due to more security measures within banks people know that they buy a bulk of cards that you know some of them may not work because they would have been shut off so let's talk about what is PCI compliance so many years ago the payment Brent card brands caught together and said that they wanted to have a standard for a stockholder data a few of them tried it out on their own and it was somewhat successful but then they decided why don't we work together because most people are taking our cards and put together some sort of standardized approach and that's when they implemented the payment card industry data security standard that stands for PCI DSS so this was put into place by as a set of rules find the card brands now if an organization or any type of organization accepts credit card payment they store credit cards they process or transmit any sort of cardholder data they do need to be PCI DSS compliant now I will say that PCI DSS is not a law it's actually a set of rules that's informed by the payment brands and its government my PCI Security Council so one of the things to keep in mind here is that even though it's not a law there are penalties and things that can happen organizations and companies if they're not compliant with PCI DSS standards and I'll talk a little bit more about it as we get into the presentation so what is the security standards Council well the card brands decided that they needed to have rules so they put together the security standards Council to be the governing body who would administrate these standards across the board so the PCI security standards council works on behalf of the card brands and they're created to help increase the controls around cardholder data and to reduce the fraud so they are the ones who continually update the standards and the rules they also have the responsibility to qualify companies and individuals to be PCI Assessors so the PCI assessment certification is known as qualified security Assessor and that is someone who has been trained and takes an exam so they can do the appropriate due diligence and testing to make sure an organization is PC compliant so in order for that to happen a company needs to be AK USA company and then from that standard they go ahead and they they will go ahead and give those standards out to help organizations and also to assess them for their own compliance so that's their role now BCI DSS again defines technical and operational requirements for anyone who's accepting our processing hard payments and also software developers manufacturers of applications and people that are making payment applications out there they also have to abide by PCI DSS now queue essays are trained to get conduct these PCI DSS assessments now just like other professional organizations there is a code of conduct that they need to abide by and so they have to have standards to show that they're independent they're not a conflict of interest of anyone they're performing an assessment for they also have to have initial training and a certification exam after they've done that they're qualified but they have to retake training and be recertified every year with an exam so this is something that is an annual requirement in order to make sure that the qsa is continuing to be above the word and knows how to do a proper assessments additionally they have to have a background check done every year by their company's HR department to indicate that they are claimed from any sort of issues that might compromise their independence they have a professional obligation to maintain working papers on assessments they perform for three years now some organizations have longer periods but that you the PCI requires the qsr a total of these four four three years there is another certification called an internal security Assessor or an ISA they are trained the same way that QED essays are and they're actually provided the ability to kind of help manage and administrate their company's PCI compliance now they're not independent because they work for the company so they do rely on the Q SAS to come in but the ISAs can certainly assist because they have the same training so we are now to our first polling question so PCI is the set of rules that's required by one of the following is it the payment card brand is that the acquirer is that the PCI standards Council is that the Q essays are you just not sure give you up about 30 seconds to respond okay all right well a quarter of you got this correct PCI is a set of rules that are created by the payment card brands by Visa MasterCard American Express Discover and JCB they're the ones that make rules now the PCI standards council enforce those rules and they are responsible for publishing the requirements the assessment forms and training the Assessors but they don't set the rules so in certainly QM essays don't do that as well so the correct answer on that one was the payment card brands okay now do you today payments that's a question to think about organizations and they're called merchants in the PCI world then we refer to anyone who takes a credit card payment as a merchant even though that may not be the official name of your business that's what PCI calls it for the sake of the assessment they typically have more than one way to take a payment and if you think about it and you go to when you go to Starbucks and you make a purchase and you use your card that didn't person payment channel same thing after you go to the grocery store or you go to another store and that's typically an in-person payment channel but you may also notice that some of these stores have what's called a payment device a point-of-sale point of interface that you actually take your card to do either swipe or put your chip pin in that's considered a payment channel as well so as opposed to an in-person where they might swipe your card or have the old what they call the knuckle Buster's that they used with the carbon copies the payment devices is a separate payment channel for that another thing is mail order some people do order by mail they do write to credit card number down on a sheet of paper Mellon in and there are certain rules that have to apply by when you accept that sort of credit card payment but that still does happen and Mel order is a payment channel itself online which is probably the way that most of us have purchased things especially if you go to Amazon or you buy things from eBay or you order things from one of the sites that's a payment channel and there's still the ability to do payment by phone so your organization may have many payment channels many way that you accept credit cards as a form of payment and that's one of the things that when someone comes in and does your security assessment for PCI they have to look at every gaming channel that you have now there are two types of assessments there's the report on compliance and there's a self-assessment questionnaire and the organization's may say well which one's the right one for me well it depends on the volume of credit card transactions you're taking and we'll talk a bit about that in shortly but it also depends very much on your acquiring bank and what they're going to tell you to take or what kind of form they want you to fill out for example the report on compliance is a larger report it is a full review that has to be done by an independent organization so that's where a qsa has to come in and actually do the report on compliance it has to be done by an independent party and as I said there may be larger organizations might have ISAs on staff to assist but they need to show that independence this is what we call something that has to be done by level one merchants and service providers and I'll explain what the levels are here in just a moment moment now again the acquiring bank may elect other levels to do a report on compliance the acquiring bank is the bank that has the authority to tell an organization what type of PCI assessment they want even though the card brands make the rules the acquiring banks are the ones that are validating that their clients their customers are PCI compliant and so they may ask for a particular form or assessment done and some of them have actually asked for smaller organizations to do a full report on compliance now the self-assessment questionnaire by its very name is something that someone can fill out on their very own they they don't have to have somebody independent come in and fill it out and these were organizations that are taking fewer credit card payments typically less than six million credit card transactions a year now that's about six billion dollars that's transactions so this was created and the forms are out there for folks to download so that they can go ahead and do the appropriate assessment and do a self evaluation now because there's a lot of information you have to fill these out with a lot of organizations and merchants have hired queue essays to come in and perform the qsa I'm sorry the saq for them so you can opt to have AK USA dude the self-assessment for you and they would have to sign off on the form that they did it and the other thing about this is some of the clients or customers of an organization may want to see AK USA do the saq because it shows an independent assessment now there are eight different types of ese queues which I'll share here in just a moment and with that there are basically all levels except for level one typically fill out a self-assessment questionnaire now I talked a little bit about merchants I think advanced a bit here okay so PCI levels I talked about that a level one merchant that is an organization that is taking over six million credit card transactions a year and because of that they're required to have an annual assessment on-site that AK USA comes out and provides that assessment for them they also have to get what's called a quarterly Network skin now there are organizations out there called approved scanning vendors that are validated by the PCI Security Council to do scans to make sure of common vulnerabilities that impact credit card transmissions are done so they have to have both of these things done they have to have the report on compliance done and have to have the the quarterly ASV scans performed now the other merchants you see the merchants are broken down again by annual transactions of credit cards a level two merchant would be between one and six million transactions anybody who is below a million but of north of twenty thousand as level three merchants and organizations that take very few credit cards less than twenty thousand a year are a level four they still have to all complete a self-assessment questionnaire depending on their environment they may or may not need an nes fee organization do their scanning now I talked a little bit about service providers service providers is a business that is directly involved in the processing storage or transmission of your cardholder data so they're not one of the payment brands but they help you process that payment and they do these on behalf of another entity and so if you think of data centers transaction processors managed service providers payment gateways vendors that provide point-of-sale maintenance all of these are considered to be service providers now because they they do have a role in the payment card process they do have to have their own report on compliance or self-assessment questionnaire complete and in order to do that they they have to have that done and then they have to provide what's called an attestation of compliance which is a form that is abbreviated form that shows that you had your assessment complete now PCI levels for service providers are very similar and they're broken down in a similar way so again level one service providers fill out a full report on compliance level two and level three service providers would fill out an S AQ and again they can have that done themselves or they just may elect to have AK USA come in and perform that for them to show their independence so I mentioned that there are eight types of sa cues and this depends on how organizations take credit card payment if it's an e-commerce merchant and they're just doing mail or telephone order or online a lot of times that's an sa QA and that's a very small form to fill out because the the credit card information goes straight to a payment processor it doesn't stay with the organization the AEP was developed from that because t ere were some merchants that did outsource their payment processing but they did have their own websites that they used to accept payments and some of the card information was stored there so they had they had to break that out ABI is a merchant just a store that you would have the regular imprint or knuckle Buster machines or standalone dial out terminals that you would take a payment with you would do that the B IP came out when the chip and pen readers became more popular and it's a shorter form than the B and it's used at a point-of-sale approved payment terminals and you'll see a lot of those in the stores that you go to the sea was organizations that have an internet site that they used to collect payment but then they take it to a processor they don't store the cardholder data so they they fill out a C the CVT is organizations that are very similar except they have a virtual terminal that the payment processor provides them and they're actually ending the card they're entering the card that way they also got one for point to point encryption devices and if an organization doesn't mean any of this criteria above or if they store card data on premises themselves they all default to the SA QD which has the most number of questions now whether you're doing a report on compliance or a self-assessment questionnaire the thing you need to realize is both of those are going to lead you to what's called the AOC or attestation of compliance the AOC is again a shorter form that shows evidence that you did your annual PCI assessment and what you can do with that is you can provide that as evidence so rather than have to show someone your full Rock or your full saq if someone asked if your PCI compliant they can show the registration of compliance the AOC will be the sufficient evidence that's needed in order to provide the proof that you had the assessment done and now we're next to our next polling question does a merchant have the option to select the type of seq they will do in other words can they pick the saq and say this is the one I want to do or did someone else select that for them okay the answer is false a merchant does not have the option to select the type of fancy queue they will do typically what will happen is the acquiring bank will come in and tell them this is the form of saq we want you to do and that's what they'll submit so it's not something they get to select on their own it is based on payment channels and because the acquiring bank is the organization that's on the hook for their customers PCI compliance they will direct their customers on which one to fill out but most you've got that right now I'm gonna go and highlight the 12 different requirements so PCI DSS has a total of six goals which mapped to 12 requirements now under each one of these requirements is a set of sub questions in order to to meet the compliance that's needed for your PCI and the one thing about PCI is it is an all-or-nothing thing in other words if you're not meeting standards and one of the questions and you're not going to be PCI compliant there are times that there might be a situation that is not applicable for you and you can definitely indicate that but the PCI DSS requirements that are in scope for your organization all have to be in place in order for you to be successful with your PCI assessment and have your inter station of compliance so we'll start taking a look at what these are the first requirement is to install and maintain firewall configurations that are used to store card holder data now firewalls are used to protect the cardholder data environment most organizations do have firewalls that they have put in on the on their networks especially on the perimeter to keep traffic out so what's called an untrusted Network is the network that is not used to host car data so organizations have to consider the Internet is untrusted generally Wi-Fi is untrusted and they have to prohibit direct access from the Internet to the cardholder data environment and that's what CDE stands for now a lot of organizations segment the networks in order to keep where they're processing payment card data separate from the general network and that's a very good idea but it's not required the only thing is if you do have a flat network and you don't have segmentation that means an Assessor is going to have to look at your entire network for security whereas if you have it segmented then the only thing that the qsa is going to be concerned about is that network segmentation and in the event that someone can break that segmentation and come from the untrusted Network into the cardholder data environment so this entire requirement is maintaining the firewalls to protect that data ok requirement number two is not to use vendor supplied default passwords for for system for security parameters now when you ever you buy a device whether you get it from a service provider or whether you buy it in the store a lot of those devices come with default accounts and passwords and typically hackers will look to see hey what's the default password for this firewall for this NIC your router and they will look it up and they will try to get into your system through that router by compromising with the default password so it's a good security practice anyway to remove the default accounts and replace those with accounts that actually have better security and with better passwords on them so the requirement here is says to remove and change these defaults now there's a lot of standards out there that apply to this requirement when there's NIST or ISO or sans or the center of Internet technology all those ones will provide you with some guidance on that but typically what you're wanting to do here is make sure all the faults are removed from wireless networks from routers from switches and other devices so that a hacker cannot compromise it with the defaults requirement number three talks about protecting card holder data that's stored so occasionally cardholder data will be stored with an organization in order to track sales you may have noticed that when you purchase something you get a receipt and sometimes that receipt may show the last four digits of your credit card number and that's okay it's actually okay for them to show the first six and the last four digits of a card because the first six digits of a card is going to tell you the type of card it is and what financial institution implemented it gave you that card so you have the availability to kind of see that and then the last four uniquely identifies your card but it doesn't have your whole number the the pan stands for primary account number and when someone refers to pan in PCI language that's your entire credit card number the whole digits that are there but what's important about this requirement is that if the data is stored that you're masking the information that doesn't need to be there that you have encryption in place for additional protection and it's strong enough encryption so that it doesn't it's not compromised easily by hackers and then one of the things you can think about here and a lot of things merchants have done is tokenization and tokenization is a very special way to uniquely identify a purchaser with their merchants for example some of you may have Turnpike passes and you may use your credit card or your payment card in order to pay for tolls and as you go through the the Turnpike well why don't some of the Turnpike authorities have moved to a tokenization process so even though you've gone to their site and you stored your credit card there and say anytime I strive to run low on money you can recharge it up to $20.00 or whatever the amount maybe or maybe you just have it reoccurring every time you run through the Tollbooth the token is a special number it's a bunch of digits that basically uniquely identify us submersion and our us D as the buyer and the merchant as the merchant that's selling that to you so in other words the soin were distilled this token they wouldn't have any success with using it to buy something on Amazon or something else because this token is a number that basically says only the Turnpike Authority can issue this and this is only used for John Smith for when he goes through tolls and the payment processor will reject any other transmission of that token for payment this allows organizations to keep the cardholder data off of their premises and yet have a reoccurring payment this has been very successful and reduces the risk of credit card data theft or misuse and tokenization is a great way to go if you're interested in in mitigating your risk with credit cards the next requirement is encrypting transmitting of the cardholder data over public networks well eventually when you transmit your car or when you pay for something that cardholder data does need to get to the payment processor somehow so this is talking about encryption where the information is protected as it gets transmitted over the network so there is likely key management between a merchant and their payment processor that encrypts the credit card information from start to finish so that it can go ahead and protect that from a man-in-the-middle attack that may try to take that data and compromise it so it's very important to have that now wireless networks are considered an open untrusted Network so you need to consider encryption especially if you have someone who's using a point-of-sale device many you have made a trivet up to a fast food restaurant place like chick-fil-a where they actually had people take your order and swipe your card while you're in the drive-through lane as opposed to waiting til you get up to the window and they've got those wireless devices well they're required to have encryption to protect that because they're transmitting that cardholder data from that device to their point that eventually goes to the payment processor and so what you also want to make sure that you're doing here is you're not sending the primary account numbers by end-user messaging and what this means and it talks about emailing and instant messenger there have been instances where people have actually said hey can you give me John Smith's credit card number I need to process his payment and somebody over instant messenger or Skype types in is full credit card number and sends it so that the person who asked for it can try transmit it and run the card well that's not us safe and secure method you definitely don't want to do that because that's an insecure method you know so it's looking for policies in place that say that you don't do that over instant messaging another thing is not letting customers email their credit card numbers in I know a lot of customers may do this and I've seen organizations take proper methods to try to mask that data but the best thing is just not to allow a full credit card pan to come over an email channel or any other type of end-user messaging and this is one of the tests within this requirement the next requirement is to use regularly antivirus software and programs so this is simply just having a current valid anti software system in place maintaining your definitions and making sure they're current making sure that they're actively running you're not allowing users to turn off their their antivirus I do know I have ran into situations where some folks who are a little bit more PC savvy have disabled the antivirus because they're trying to run certain macros well if they're accepting card payments on that system you need to prevent their ability to do that you also need to be able to generate logs that shows the antivirus was ran and if it caught any viruses or attempts so that's the big thing to do for requirement 5 requirement 6 is typically for organizations that are developing payment systems in house so if you're developing your own system that accepts credit card payments or if you've got an application that you got from off the shelf that you're using to accept payments for while you're on your on your premises their requirement six is going to require you to maintain secure systems and applications so it's going to require that you keep your patches current on your operating systems and on your applications and the big requirement here is that critical patches that are deployed need to actually be put into place thirty days from release and that's anything that has a critical vulnerability and this is the thing that we look for as an Assessor is have all the critical patches been deployed within 30 days and if so great if not then why weren't they implemented it also requires you to risk rank vulnerabilities that are found in the environment and provide the appropriate scanning of those systems it also looks at change control processes if you make a change in your environment how does that impact how you take cards how does that impact the the security of the cardholder data as it's coming through if you've got a big change to your process and procedures then you need to consider what you've have done in order to make sure that your PCI data is still compliant and also secure coding guidelines we'll look at here a lot of folks have talked about secure coding standards when they develop software it looks to make sure that those standards are in place for any applications that you're using specifically for the credit card requirement 7 talks about restricting access to cardholder business cardholder data by business need-to-know and I think the thing here is to keep in mind that not everybody needs access to everything if someone's job doesn't require them to have access to cardholder data then don't give that to them and this talks about logical access if someone does have the authority to do that document that indicate why they need to have access to that and have signed off by management so it tooks takes a look at a lot of access controls it even takes a look at the tellers or the people at the cash registers to make sure that obviously they have a right for their job to run the cards so they play a role so that's something you would document it also have good access control systems that are put in place to allow you to be able to to know if someone got in there that shouldn't have gotten in or to be able to track any access to the cardholder data environment be able to look at logs so again come down to really denying any sort of access unless it's specifically allowed and the reason why they need to have that based on their role in the business requirement 8 talks about identify and authenticate access to system components so again as we talked about having access to cardholder data this is talking more specifically about access to systems now everyone here who works probably has a unique user ID that they use to get into their network and they probably authenticate by use of the password so make sure that you don't have shared accounts but you actually have unique IDs because that tracks to the individual who's doing things on the network they also recommend strong password parameters now PCI only requires seven digit characters for passwords to meet their compliance most organizations have adopted eight characters so it's actually stronger and the new NIST standards has up that to twelve characters and it has actually talked about not letting the passwords expire and basing it on a more complex password and encouraging people to use passphrases now whether you agree with that or not as you know still one of the matters to consider but what PCI looks for is strong password parameters and when I come in as an Assessor I take a look to see if you're meaning this the parameters that are at least as strong as what's required for PCI if not better now many of you have might've heard of multi-factor authentication multi-factor authentication used to be called two-factor then realize that some people may use more than two factors so we've renamed that multi-factor authentication and this is where two or more authentication measure methods are put into place this may be something you know since use your password it may be a token that you have many of you might have a token that you have either on your phone or you have a token device that changes a number every 30 or 60 seconds nd you're required to type in that token as a way to get in that's configured that's considered a multi-factor authentication another thing is to you are that might be a mile metric measure such as any thumbprint or fingerprint or some other measure to indicate by that you indicate that it's you so multi-factor authentication is requiring two or more factors to authenticate into a system to allow you access and some of the more sensitive systems in the payment card data environment that they're looking at they want to make sure that there's multi-factor authentication to better protect that so that someone can't get just get someone's password and then compromise the cardholder data and again I say say here at the bottom please do not use groups shared or generic IDs I know that some organizations do that but the problem with that is it's very hard to narrow down who the individual was if you have something that pops up and you're trying to track accountability so we encourage that folks mitigate that as much as possible and now we are at polling question number three so I'll read this who are the independent Assessors that are trained and certified by the PCI security standards Council is it the internal security Assessors is it the cue SAS is that BSA's is the point-of-sale Pio I are you not sure and again the point is I'm looking for independent Assessors in this question give you a half a minute to reply okay again most of you got this correct it is the qsa the qualified security Assessors now the ISAs are trained in the same way but typically they are more administrating the program management office for a PCI assessments being done there's certainly qualified to do them but the independent Assessor would be a qsa so that would be the correct answer there okay getting down to requirement nine we're restricting physical access to cardholder data now one of the things in security that we do a pretty good job of is we try to put up real good parameters around logical security whether it's passwords multi-factor authentication encryption so we do a lot of things there but still we live in a physical world and there is a physical location where there might be cardholder data so the the questions that are asked in a requirement nine are limiting who can access those systems so you definitely want to limit and and monitor the physical access to anything in the cardholder data environment so that maybe if you have a payment processing center or you have the servers that store the cardholder data you might keep a log book to keep who goes back there you want to be able to distinguish between on-site personnel and visitors a lot of companies do have a visitor badge like a yellow badge that's a different color than their personnel so someone knows that this person is an authorized visitor but they shouldn't be uhh nests courted they should be have someone with them at all times unless they have a reason to be on their own also the visitors visitors are authorized and a log maintained that they came into your environment so I see a lot of organizations have a logbook that a visitor has to sign it so that provides that mastered method and it also talks about backups because some of your backups may hold encrypted cardholder data or it might have some cardholder information so make sure those are secure physically one of the big areas that I find under requirement 9 is a media classification there are a lot of organizations that haven't really put into place media classification and I think that's a key area because what you're looking to do here is realize that some data is more sensitive and valuable than others so I've seen some organizations have this unofficially I've seen others document and saying that cardholder data PhIP III is considered sensitive and they classify any data that has that in a certain way and there's certain rules for that organization to safeguard that another thing that happens here is if media is no longer in use a proper way to destroy that now media can apply to like a hard drive that you might have to have destroyed but it also might actually be paper copies for example if someone has mailed in an order and they've written down their credit card number on a sheet on the order form that is considered media that's considered a means that stores of cardholder information and so once you process that order through the mail order fulfillment house what you need to do after that card number is entered into the system and the transaction accepted you need to find a way to destroy it whether you're shredding it or some other means out there so it's really important that you have a proper procedure in place to get rid of media when you no longer really need it now in some cases businesses may need to hold on to a credit card number and maybe they haven't moved to a tokenization process but they need to have a good reason for maintaining those records and then also in the requirement nine is training for identifying any devices that may be tampered and this typically applies to the point-of-sale systems and I'll show you an example here so this is called a skimmer now a skimmer is a device that looks like a valid credit card slot that you would put your card in and it actually fits over the real slot so if you were to go up to an ATM or to a gas pump or to a payment device and a skimmer was on it you still would be able to make your purchase you would still be able to pay however that small skimmer that's put on top wouldn't record your cardholder data so again it captures it for the card not present a veil ability and actually allows the thief to basically take your card and then use it for whatever means until you discover that your cards been compromised so one of the things that we train people to do is to check for skimming devices check to see if what they are on there are if the devices have been tampered with such as seals broken off or other methods measures that somebody might have put there in order to try to capture that cardholder information while someone makes a legitimate transaction it's very effective and these skimmers have gotten very small and I've actually seen cases where someone at a convenience store as the clerk turns to back for less than 30 seconds they snap one of these on and no one notices and it was caught actually on a video camera it's pretty interesting video so let's kind of go through the rest of the requirements so requirement 10 is about logging and monitoring it's tracking the access you have so you want to have an audit trail for users who access your cardholder data you want to see if they're through your intrusion prevention systems and detection systems if someone tried to login and didn't have the right security parameters here to do that it was an invalid attempt they missed their password and they didn't have their token for multi-factor it needs to restrict access to the logs as well because often when hackers break into an environment they will try to access the logs to show that they make it look like they were never there when they were so you also in addition to logging invalid attempts you need to act restrict access to the logs and the ability to tamper those logs another thing that's important on this requirement is tying synchronization now there should be a centralized time synchronized clock that all systems go through and you need to make sure that all your systems are in sync with that master clock what will happen is often a hacker may try to use that to again cover their tracks and make it look like they're not in but if you notice that one of your systems that accepts or transmits cardholder data is off sync it's possible that a hacker tried to compromise it and tried to back set the timing to cover their tracks and a good way to track that is it's out of sync on time you also need to maintain the audit history of any logs for one year now readily available those logs should be readily available for four three months that you can easily get to it but should you should be able to go to your backups for one year of logs okay requirement 11 talks about test security systems and processes this is where you come in and you have your internal and external network vulnerability scans and pin testing and this is something that you need to do if you have a cardholder data environment merchants only have to have one internal and one external pin test per year service providers the master data centers that are out there and managed service providers and so forth they're required to have it done twice a year now and that's a new requirement from PCI the service providers have it done twice a year but because they're processing transactions on behalf of merchants they have an extra requirement also have your intrusion detection and Prevention in place when you go to requirement 12 everything in requirement 12 is about policies and procedures so this is making sure that you have security policies that apply especially as it revolves around the cardholder environment make sure it's available to folks make sure that there are regular security procedures in place acceptable usage policies should be out there assigned people with security responsibilities in the event that you do have an incident assign a cert team that has responsibilities for making sure that they're able to respond in case of an incident so security awareness program is one of the things we look for do you have a security awareness program and as part of that I may ask are you actually asking people or having people tell you and learn how to check for skimming devices on the devices how do you detect suspicious activity and fraud so the security awareness is a big thing for PCI again employee screening is something that will ask if you have folks that are going to impact the cardholder data environment how did you screen that employee if that person is an administrator of those systems or if that person is going to be a teller or that person is going to be at the register how did you screen that person to know that they met the right security parameters are met the right quirements in order to perform their function and again I told you q essays have to have an annual background check done to make sure that we we stay above board also policies for service providers that are providing new service in your environment make sure that you have those documented and then the key thing that I find a lot of organizations don't have is an incident response plan in place and the advice I will give you on your incident response plan is you need to at least show some steps that you take and an escalation process of what to do in the event that you have a breach or malware or ransomware attack have something in place that talks about the actions you take there are a couple of pin deck scissors are actually three appendices Appendix A only replies to shared hosting providers so most folks never see this but it may provide some extra parameters if you're actually hosting cardholder data on behalf of our merchants and then a2 is going to be less and less because this talks about additional PCI requirements for organizations that are using older encryption they call it SSL early TLS for for point-of-sale terminal connections they did say in 2018 that by June everyone had to get away from early TLS and SSL some organizations still had to keep it for a business reason so because that appendix a2 is in there to ask some additional questions to make sure measures are taken to protect someone from from those earlier encryption types and then a3 is a one that would be designated by an acquirer that says I want you to fill out some additional questions to show that your you are PCI compliant so there are typically appendices available sometimes they're used sometimes they're not now I want to talk a little bit about compensating controls I do want to say we have our last polling question coming up and I'm going to go to it real quick because I know we're at a point that I need to do that and then I'll take you back to the rest of the presentation so what are potential consequences of not being PCI compliant will you be fine are the reputational damage is that you'll face is there a loss of ability to accept credit card and debit card payments or all the above and I realize I haven't gotten to this slide yet but based on what you know about PCI take your best guess of what you think is the right answer okay all the above is the correct answer so very good if you want to talk about compensating controls compensating controls were in place in the event that an organization cannot meet one of the requirements and I do see this so the thing around this is you can have a compensating control if you're not able to meet one of the requirements but it must address the risk of that the original control is supposed to be and you also have to document that and have that looked every year in order for you to being able to to keep that compensating control so it has to be approved by management and tested every year when you do your assessment an example I had is there was one company that had to use a piece of technology that didn't have proper encryption so it would have failed the PCI compliance but their legacy systems had to use that but they did put up a firewall a segmented Network and they put that into a room and required two-factor authentication to go to the terminal that would have viewed that information by doing that class a control addressed the risk and is acceptable for that so PCI DSS compliance is important because you know hackers and international organizations are targeting their payment channels basically now that we've moved to a society that most people use payment cards rather than cash and a lot of things are done online they're able to to capture that there are high fees from non-compliance these are there to pay a discretion of the payment brands the payment brand can't actually find you a large sum of money if you're going to continue to use their cards and then of course if you have a data breach you could be fined for that and also you lose reputation 'el status with a lot of organizations I think a lot of people didn't shop at Target for a while after they had their breach other things to think about again is the loss to consumer confidence I talked about fines the one thing I can tell you is the credit card brands have the ability to tell you that you don't you cannot accept their card payments anymore that they will not allow you to do that and I've actually heard of merchants that have lost the right to take a MasterCard or Visa and that can be devastating and that's probably the strongest thing that card brands can do to enforce PCI compliance no again it's not a law but that set of rules and any credit card brand has the right to tell you that you can't use their cards so having that can be very devastating it may impact your business so the benefits of PCI compliance is that it's a scattered ization that's out there that everyone is needing to abide by it does affect everyone it increases the ability to protect the cardholder information customers are going to have confidence when they know that your PCI compliant and it's better protection for them that the principles are universal they're across the board so they apply regardless of where you are in the world you can wear advice and statistics show that when you have an incident response plan or good security measures in place you can reduce the cost of breach and what the active would be to your business so I'm gonna come to my summary slide and we'll have a few minutes for questions again PCI compliance is a requirement but it is not a law and the card brands have the ability to implement methods if organizations are not doing their PCI compliance the card brands set the standards but the PCI Security Council is the governing board who basically administrates these standards publishes the forms that need to be filled out for these assessments and qualified the Q SAS to do this again organizations at over 6 million card transactions do a report on compliance and other organizations typically do a self-assessment questionnaire and there are a number of questions under the 2 requirements and speaking of questions one of the things I have here now is I've been asked where can you find AK USA and what are they typically cost so Paul I think you got that question and that's a good one to ask are you uh are you asking the questions you want me to read those oh you can go ahead and read that one I'll take care of the rest that's okay okay so you go to the PCI data security standards site you can go online and there's a tab there that you hit R lengthen that hits qualified Assessors and you can find an Assessor by name or you can find a company so if you go out there you'll see you'll click on the link and then if you pulled up bkt as a company what it would show us and it would show also anyone who was the administrator oversight of that particular program so you can find them there and there's a contact number to reach that person as far as Costco that's dependent on the type of assessment you need done in the organization you hire any more questions Paul yeah we just got one here is it true that the skimming machines can be detected if you wiggle the card in the slot or it's being inserted the question asker says when they get gas especially they usually do this is that an effective way to detect this well I would well go up before you put your card in and see if it snaps off that's typically what I would do once you put your card in that meant a magnetic strip is going to be read and your dad your card data will be compromised we got one here is there a tolerance level for the number of controls that may be ineffective but yet still be in compliance with the PCI DSS no it's an all-or-nothing so you need to meet all the controls that are underneath that now there might be some CRO controls that are not applicable and it's okay to indicate that but you do have to say on the later on in the forum or the report that you're filling out why you've checked not applicability so for example if you don't store a cardholder data and there's a control that says Stark around cardholder data you can check that is not applicable and you'd put on the end of the form that under the bottom that you've checked that not apical because you don't store cardholder data on premises just got another one here that's our the skimmer device is easy to snap off or would it require someone to use some tools I guess it depends on the skimmer typically the ones that I've seen have been pop on or pop off but again somebody might be more diligent and create a more robust one to avoid capture or being compromised so I guess the best answer there is it depends on the skimming device okay we might have time for a couple more just a reminder if you do have any questions and you want us to answer those go ahead and pop them into the GoToWebinar toolbar and we'll be able to get back to you via email maybe one more question Rex is the PCI only for the United States or is it apply internationally as well it is an international standard actually so one of the payment card brands JCB is actually a Japanese popular card that is used and they're one of the founding members but PCI compliance is worldwide and in fact assessor companies have to register by region in order to perform PCI assessments in each of those areas so it is an international standard Europe has done a great job of leading the way but the standards though do apply internationally great while we're here we want to thank you Rex for the presentation and thanks again to everybody for attending today's webinar and have a great day