PCI Compliance: Overview

PCI Compliance: Overview

April 26, 2011 2:00 pm

(Save to cal)


Adam Goslin, co-founder of High Bit Security, will review the basics of PCI Compliant Hosting and describe the first steps to preparing to meet the standard.

Tuesday 4.26.11 @ 2pm

View Slides




Adam Goslin (Slide 1 - Introduction): Well good afternoon everybody, this is Adam Goslin with High Bit Security. I’m hosting the webinar sponsored by Online Tech. Thank you very much by the way for having me out and participating in this, it should be a good session. We’ll be doing an overview of the PCI DSS (Payment Card Industry-Data Security Standard), just a high level overview of what it’s about, its areas of impact, etc… Really, this session will be a lead in into the 2nd session, which will be Next Tuesday, where we will go over a lot of requirements in greater detail. The intent of this session is to familiarize the audience with PCI DSS with its impact, its scope, etc…

Adam (Slide 2 - About High Bit Security): So, let’s get started with the presentation. Here’s a little background on High Bit Security. There are two main business lines involved with High Bit Security. High Bit is assisting companies with obtaining or maintaining PCI Compliance. We help companies with ranges from Level 1 to Level 4 compliance. We will talk about the compliance levels later in the presentation. We also have programs that assist companies of all sizes that deal with PCI DSS. What we’ll do, is that we will first give them an idea of where they stand against the PCI DSS standards performing what is called a GAP Analysis. A GAP Analysis is basically comparing where the company stands in comparison to the compliance requirements vs. the reality of what they have in their environment and wherever there are gaps, we’ll give them suggestions on how to remediate them or fix them. We also coordinate with security assessors for the larger engagements with Level 1 customers in order to keep them in the loop of what we are doing with your PCI DSS standard compliance.

The other side of High Bit is providing cost effective Penetration Testing, whether it’s internal or external.  Penetration Testing is basically assessing the security of your network or application. So we’ll do Penetration Testing from inside or outside your network. We’ll look at the network layers as well as the application layer. In High Bit’s case, we perform manual Penetration Testing by security engineers that hold industry recognized certifications. So, they have a fare amount of depth in terms of experiences and capabilities in that arena.

Adam (Slide 3 - PCI Compliance Overview): So, for PCI Compliance as a high overview perspective, it does stand for the Payment Card Industry Data Security Standard. PCI DSS was founded back in 2004. There were five different card brands that wanted to join forces for their security programs and they collectively created this standard (Visa, MasterCard, Discover, JCB, and American Express). The intent of this standard is to provide protection for its cardholder data, otherwise known as CHD. One of the things you learn as you familiarize yourself with PCI-DSS is that there is a fare share of acronyms and I’ll do my best to explain those as we go through the presentation. Basically, the intent is to protect the CHD through an approach covering all aspects of the technology based solution. This goes everywhere from policies & procedures through the infrastructure layer and everything in between. When they rolled the program out, it was initially implemented through core payment processors, and from there was pushed out to their customers. When they did this rollout, they started with the largest of customers so they could get the most amount of coverage. The program has been rolling out to not only the large customers, but to smaller customers as well, like the mom & pop pizza shops that simply have a Point of Sales (PoS) terminal. We are now starting to see an attraction in this arena as well.

Adam (Slide 4 - PCI Compliance - Who Is Impacted?): As far as who is impacted, one of the most common misconceptions about PCI is that it only applies to the large e-commerce style companies. The bottom line is that PCI applies to EVERY organization that receives, stores, processes or transmits cardholder data, from the large e-commerce online retailers to the single mom & pop pizza shop. To that end, the impact of the organization is far different depending on what they are doing with that data. So the large e-commerce retailer that is collecting cardholder data, storing information on their servers, running payment processing engines against it, pushing it out to various card payment processors will obviously have a much more significant impact felt as a result of PCI, as to the customer that has a single PoS terminal and never actually stores any of that data on any of their systems. So there’s a fairly broad range of impact to the organizations that are involved.

PCI breaks out compliance into Levels, which for sake of simplicity for this presentation; we split it up into sections. Level 1 is processing 6 million + annual transactions and Levels 2-4 are processing less than 6 million annual transactions.

Adam (Slide 5 - PCI Compliance - Levels of Compliance): Part of the reason we make that distinction is that because if you fall into that category of a Level 1 compliance situation, it’s really a lot more intense.
There’s almost an expectation at this point in the game that this will make a significant impact on the organization. So for those Level 1 merchants, they have a series of requirements that include filing an Annual Report on Compliance (ROC), which must be filed by a Qualified Security Assessor (QSA). As well, they have to do quarterly network scans by an Approved Scan Vendor (ASV). And finally, they have to complete an Attestation of Compliance (AOC).

That said and done, Levels 2-4 is less than 6 million annual transactions. For the companies that fall into those categories, they’ll need to file an Annual Self Assessment Questionnaire (SAQ). They’ll also have to do quarterly network scans by an ASV and complete an AOC as well. Now, for Level 4 merchants who are doing extremely small volumes of transactions, some things such as an ASV or AOC are only needed if applicable or if compliance validation requirements are set by the acquirer. So one common question that comes across and that a lot of companies will do is they’ll actually opt to be on the Level 1 list. Now the single major difference between whether you are a Level 1 or a Level 2-4 really comes down to the fact that you have a QSA that will come in and help verify or validate that you have truly met all of the requirements of PCI. So there are companies that are doing less than 6 million transactions annually that opt to Level 1. This is done in part for notoriety of their marketplace. Only Level 1 merchants show up on the published VISA list. So there are definitely companies doing less than six on the Level 1 compliance list.

Adam (Slide 6 - PCI Compliance - SAQs): There are a wide variety of SAQs out there. There is an SAQ A, which is Card-not-present Merchants, All Cardholder Data Functions Outsourced. There is also an SAQ B, which means Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage. They created a new one out recently called SAQ C-VT, which is Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage. There’s also SAQ C- which is Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage. And finally there is SAQ D, which means All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ. That is the way they have those broken out.

Adam (Slide 7 - PCI Compliance - First Steps): Now for PCI Compliance, the first steps to getting ready for compliance, is to find someone with knowledge of PCI. I come from a unique situation in that I started off my adventure into the PCI space by working at a company that was striving to become Level 1 Compliant. I can’t even begin to tell you how many countless months were spent on just getting your arms around it and understanding what this means, knowing which direction to go in, which solutions are the right ones.

You’d be amazed at how many things in the marketplace where they have solutions that are supposed to work and they sound wonderful, but implementing them is more a pain that what they said. So certainly getting some advice from someone who has been through the process would be the best advice I could give someone going to PCI Compliance. It allows you to quickly gain understanding of where your organization stands against the PCI DSS standards. It allows you to mitigate the amount of time (cost) required by internal IT resources and as you’ll see in the next webinar, there are impacts that range far beyond just your IT department. It impacts your vendors, accounting and HR departments.

So the impacts of PCI can felt across an entire organization, but the bulk will be felt on your internal IT resources. It will also allow you to streamline the process of getting to solution discussions, and when you have a gap in a PCI compliance engagement, the solution may be to develop a hierarchy of solutions. One is that we make every attempt to leverage the internal resources as much as possible for multiple reasons:

1.) More cost effective for our customers.

2.) It improves the amount of insight and training that the internal staff get out of the engagement.

And if internal staff cannot fix the issue, we may look to add external software from a 3rd party, or hardware and other services vendors depending on where the gap may lay.

One of the biggest tasks when you first are facing PCI compliance is taking a look at the threat as to where the CHD currently sits in the company. There is typically one of two scenarios involved. The first scenario involves an existing company that has been around for a long time and they’ve had a system in place for awhile and they are now facing PCI. In a lot of cases the way the network is structured, the way that the firewalls are configured puts essentially all of its resources into one big bucket. So you either opt to segregate the bucket, or you can create a separate PCI environment. Regardless of what solution you choose, at all times mitigation of how big and how spread your cardholder data environment is, is far none the biggest factor of mitigating costs for PCI compliance.

Adam (Slide 8 - PCI Compliance - First Steps Continued): So PCI Compliance is a compliance requirement that according to the card companies has 12 requirements, but when it comes to it, they boil down into over 260 different individual requirements ranging from HR hiring / firing policies and procedures to the lockdown of services on each individual machine in the Card Holder Environment (CHE). And planning for your move to PCI compliance is absolutely essential. The 1st thing to do would be to look at your current CHD environment and make sure you have that as small as humanly possible and once you have that game plan together for how you’re going to implement your PCI Compliance environment, planning it out is absolutely essential, whether you’re leveraging a physical or virtual infrastructure. The amount of time you spend on planning for what you’re going to do will in the end save you an imaginable amount of pain as you go through the process.

Adam (Slide 9 - PCI Compliance - Infrastructure Factors): Just to clarify, a lot of the comments earlier pertain to large scale engagements. For the smaller level engagements that only have a PoS terminal, you’re still subject to PCI requirements, however you’re not storing cardholder data or transmitting it or receiving it yourself, a lot of the impact of the scope of PCI is then mitigated. There are actually nice and easy ways for Level 4 merchants to get PCI Compliance. That said and done, Infrastructure Factors now come into play. The costs of becoming PCI compliant are directly proportional to the breadth of your Card Holder Environment (CHE). In many cases, companies will opt to migrate from one platform to another when performing their PCI compliance for several reasons. Maybe it’s the age of their existing infrastructure, or the fact that they need to segregate CHE from existing non CHE functionality. Maybe it could be the ability to keep present systems available without impact. There is a lot of time and hours that go into creating a PCI environment, and segregating that time into nights and weekends will only stretch out the amount of time that you spend working on it. So in a lot of cases, companies will stand up a separate CHE and migrate from one to another. Also, they can work on that secondary environment and do all of the tweaking and installs and lockdowns needed on that environment while keeping the other one up and running.

Adam (Slide 10 - PCI Compliance - Physical vs. Cloud): The question of Physical vs. Cloud with the advent of Cloud Computing which has really taken shape the past couple of years, it’s a question that we get relatively frequently. What really comes down to it is if you have a small CHE, a physical infrastructure may make the most sense. If you already have one and you’re CHE isn’t that spread out and you don’t have much segregation, then you may just be able to make the modifications you need to an existing physical infrastructure. If you have a lot of devices, Cloud architecture, or more specifically Private Cloud Architecture may start to look more appealing. Just to note, a Public Cloud from some of the large players in the market, would not work for meeting PCI.

A strong recommendation to if you’re looking towards Cloud Architecture, I would highly looking into finding a hosting provider that can provide you with private cloud hosting. In both cases, whether you are doing a Physical Infrastructure or a Private Cloud, everything must meet the requirements of PCI-DSS. This also applies to all Levels as well. So regardless of which Level you are or what implementation style you choose, based on what you are doing with that cardholder data, you are required to be compliant with PCI. One of the more disturbing things noticed in the marketplace is dependencies on the smaller shops to just go down the questionnaire and check “yes” for everything. It seems like a great idea at the time; the exception is that you’ll be found wholesale liable for anything that happens in your environments as a result of you choosing “yes.”I would highly recommend not going that route.

The Cloud Architecture also allows for staging of mostly compliant VMs as a base. What I mean by that is that is when you’re sitting and doing your planning for PCI, you will be mapping out your planning and asking yourself, “How do I want it to look like?” “How many servers will I need?” So you’re going to have that all mapped out and the one benefit of a Private Cloud is that if I had 15 File Servers and 42 Web Servers, there has to be a certain level of work that must be done to the base like configuration of each individual server, so that you can go in and do it once to get the base like copy of it, and take that copy and push that out to my other instances that I need and then configure from there.

When I say that the pre-planning is a huge part of it & a lot of these decisions will come into play as you go down the path because if you’ve done the pre-planning, it can go quite smoothly from there. Also with Cloud Architecture, you will need special considerations for the hypervisor (virtual environment management) and from the PCI-DSS perspective; they have mandated that the hypervisor terminals meets the security requirements of the most secure device that is in your environment.

Adam (Slide 11 – PCI Compliance – Impact Areas): I’m just going to briefly go over these requirements since we’ll be going into these in more detail at next week’s webinar, but here’s the list for a reference.

1.) Install and maintain a firewall configuration to protect cardholder data.

2.) Do not use vendor-supplied defaults for system passwords and other security parameters.

3.) Protect stored cardholder data.

4.) Encrypt transmission of cardholder data across open, public networks.

5.) Use and regularly update anti-virus software on all systems commonly affected by Malware.

6.) Develop and maintain secure systems and applications.

7.) Restrict access to cardholder data by business need-to-know.

8.) Assign a unique ID to each person with computer access.

9.) Restrict physical access to cardholder data.

10.) Track and monitor all access to network resources and cardholder data.

11.) Regularly test security systems and processes.

12.) Maintain a policy that addresses information security.

Adam (Slide 12 – PCI Compliance – Upcoming Webinars): We have two upcoming webinars.

Tuesday 5.03.2011 @ 2 P.M. – PCI Compliance: Detailed Requirements Walkthrough

Tuesday 5.10.2011 @ 2 P.M. – PCI Compliance: Penetration Testing and Enhancing Security for Networks and Applications.

Adam (Slide 13 – PCI Compliance – Q & A): So we have come to the conclusion of the presentation of PCI High Level Overview. If anyone has any questions I could get 1-2 questions in being that I would like for us to promptly finish at 2:30. If any of you have any questions, feel free to post them in the question board, otherwise all of my contact information is up on the screen:

High Bit Security: Adam Goslin

Cell: 1-248-388-4328

Email: agoslin@HighBitSecurity.com

Feel free to call or email me. We perform pre-consultations for PCI-DSS compliance as well as Penetration Testing, so we would be happy to help you and assist you with your needs.

April Sage: Adam, thank you so much. That was a great overview and we have a couple of questions for you.

Q: What realistic expectation should a company set as far as a timeline to meet Level 1 Compliance from the beginning stages of looking as to what’s involved to actually achieving the process?

Adam: It does depend on how big the organization is and how much spread is among their cardholder environment. For the average PCI implementation to Level 1 compliance for the upfront analysis portion of figuring out where you stand the requirements is typically a 2 month process from start to finish. Then depending on what gaps there are, I’d say a decent average of 3-7 months in implementation and for final checks and tweaks about in total around a 9 month process, which gives you some breathing room.

Part of the reason why it takes so long is that it involves so many policies and procedures of the company. You got people from Accounting & HR involved and you have to worry about their schedules as well, along with Developers and Network Administrators, who will have multiple projects on their plate.

Another thing to look at is the dedication of those resources into getting the job done. It will take a lot of internal resources and a lot of labor hours and it’s something that I think that companies do not prepare themselves for in the long run.

April: Well it seems that companies will have to put a lot of internal resources to the table in order to get this done, but what about from a budget perspective? What can we expect companies to do there as well?

Adam: A lot of this once again depends on the existing infrastructure and whether or not it can meet PCI Compliance. Also a lot of internal and external resources come into play as well. If I had to through a rough estimate out there, I would say on average somewhere around $200,000. Although, I’ve seen companies get away with it as low as $120,000 and as high as $250,000. It just honestly depends on the existing infrastructure and how much internal and external resources they’ll need to get the job done.

And that’s why finding someone who’s been through the process is key in helping in cutting costs and ultimately saving you money and time in the process as well.

April: Well, thank you very much Adam for joining us today. We will be back next week with Part 2 in our PCI Compliance Webinar Series: Detailed Requirements Walkthrough and in the meantime, feel free to email Adam any questions and we can try to answer those over the next two weeks. Thanks again Adam.

Adam: Thanks to everything who attended and I hope to see you all back next week.

Back to Top

Webinars    |    Online

Get started now. Exceptional service awaits.