Watch to learn the fundamentals of PCI compliance.
Having issues accessing the video above? Watch the video here.
In this webinar, SecurityMetrics' Andrew Garrett, Product Marketing Manager, covers:
Learn more about PCI solutions from SecurityMetrics.
This webinar was hosted on August 22nd, 2018.
0:00 Welcome to today's webinar. This is PCI Basics for Merchants, the What, Why and How and my name is Andrew. I work in marketing here at SecurityMetrics and I'll be presenting today. I've been working here for a couple years now. I've written a lot of content directed to merchants helping you better understand how to get PCI compliant, how to know what requirements apply to you and how to meet those requirements to better secure your data. So hopefully we can have a good webinar today and at the conclusion of the webinar, we will also have a Q&A session so that you can chat in any questions that come up during the webinar using your gotowebinar control panel.
0:49 We will answer as many of those as we can during the webinar and if we don't have time to get to your question, we will have someone reach out to you on an individual basis to make sure you get the answers you need. We are recording this webinar and we will have a recording that we can send out to you in the next couple of days along with the slide deck for your review.
1:23 You're welcome to share this with others in your organization and review it as you feel necessary. We wanted to start off today with this little quote, “There's no harm in hoping for the best as long as you're prepared for the worst”. Just something to keep in mind. Obviously no one hopes for a data breach but because of the times that we live in, data breaches and hackers are on the rise. It is something you need to be prepared for and the best way to do that is by following some of these security mandates such as the PCI DSS.
2:08 We're going to go ahead and talk about three data breaches in the past several years that could have been avoided through PCI compliance. Just to give you a few examples to start off, some of you may remember this data breach, this was the Home Depot back in 2014. This was a very large scale data breach that affected 56 million Home Depot customers, where a hacker was able to access the credit card information. As a forensic analysis was conducted they discovered that there were several PCI regulations that were not being met. Had Home Depot been a little more careful to meet these standards then this data breach could have been avoided. The next example is from 2016. Hackers stole 4.2 million records of government employees. Some of you may have been affected by this. This could have been avoided through PCI compliance.
3:40 The last breach that I wanted to touch on here was back in 2007. The TJX company which owns TJ Maxx Marshalls and Home Goods was breached and more than 80 gigs of cardholder data was stolen without the company knowing. Upon further investigation it was uncovered that TJX was violating nine of the twelve PCI controls at the time of the breach.
4:15 This isn't meant to be a scare tactic but just to show you that this is real and and data breaches do happen and there are bad people out there that want to access your card data. Just to impress on your minds the importance of the PCI-DSS.
Let's go over how the PCI-DSS can protect you. PCI-DSS stands for Payment Card Industry Data Security Standard and it's basically 12 card handling practices that merchants must follow to accept payment cards.
5:01 PCI-DSS was established over a decade ago. It was set up by the major card Brands - MasterCard, Visa, American Express, Discover, Etc., and they came together and said we need to create this PCI-DSS to make sure that merchants are accepting, handling and storing card data securely. So if you are a merchant that accepts credit cards, you are required to follow the PCI-DSS.
5:41 Why should you care about becoming PCI Compliant? The number of data breaches is only increasing. From 2016 to 2017 the number of data breaches in the U.S. rose 44.7% and the leading cause of those breaches is hackers, unauthorized access, people that are not from your organization that are dipping their hands into your sensitive data that are not supposed to be there but through different hacking methods, they're able to gain access to it. That remains the leading cause according to the Identity Theft Resource Center. Some other causes include employee negligence. If you have employees that are being careless or maybe they're not properly trained or they're just unaware of security best practices, that has also been a leading cause for breaches in recent years. These are some things to be aware of.
Another reason to become PCI Compliant is because it is a requirement. It is mandated by the major card brands and you are required to report your compliance to your merchant processor. Merchants that do not report their compliance can be subject to non-compliance fees and some hefty fines in the case of a data breach. In the event of a data breach, the fines can frequently total over $100,000. It can be very expensive. We hear all the time about small businesses that suffer a data breach and are not able to recover financially.
7:43 Make sure that in the event of a data breach that you do have a plan in place. If you can prove to forensic investigators that you were attempting to implement the PCI-DSS and you were making efforts to protect your data then many times the fines will not be as severe.
8:22 So, how do I become PCI Compliant? This is a question we are asked all the time and it is a pretty in-depth process. For simplicity's sake we've broken it down into four main steps. First you need to identify your scope, then you need to complete a self-assessment questionnaire or an SAQ. The third step is you need to achieve a passing scan from an approved scanning vendor and the fourth step is that you need to report your compliance to your merchant processor.
9:02 Step one, identify your scope. What does this mean? Your scope is defined as anything that processes, stores or transmits cardholder data. Anything that can initiate a connection to any of the systems that handle cardholder data. And to evaluate the people and systems that are in communication with your systems. There are always processes that you may not think of or realize. For example, if you're a retail store that swipes cards, do you ever take card numbers over the phone or receive emails with card information? Are any paper orders received? Was there a power outage where card data was manually written down?
9:48 What you want to do is identify your systems that touch cardholder data and then you’ll want to ask yourself these questions on your screen. What do we do as an organization? How do we make money? Why do we handle card data? And what devices do we used to store process or transmit this data? If you can answer those questions then you can define your scope. And here at SecurityMetrics, if you do need additional assistance defining what is within your scope, we have tools available to help you with that as well as support agents that can assist you. Some system components that are most likely in scope for your environment are networking devices, servers, switches, routers, computing devices and applications. Anything that touches your cardholder data in any way is going to be considered in scope. So that's the first step, defining your scope.
Step two is to complete the self-assessment questionnaire.
11:03 There are a few different types of self assessment questionnaires, SAQ-A is for an e-commerce website that fully outsources their card acceptance to a third party. And that is one of the shorter questionnaires, actually it is the shortest at 22 questions. Depending on how you accept cards at your business there are a few different types of SAQs. We have SAQ-C and SAQ-D which are probably two of the most common SAQ types that we see. Being in the digital age, most businesses are using an internet connection to process cards so it's likely that SAQ-C or SAQ-D applies to you.
12:03 SAQ-D is the most comprehensive SAQ and has 329 questions. At SecurityMetrics we have agents available to help you through your SAQ if you require assistance. And one thing to remember about the SAQ, it that it is a self-assessment questionnaire. So it is something you do on your own, you're assessing yourself. Could you go through the SAQ and just check yes to all the questions? Yes, you could do that. But in reality, who are you really helping if you do that? If you just check the boxes and say yes, yes, yes, I'm doing this, it's really not not the best practice because what you want to do is take the SAQ seriously, read through the questions and make sure that you are in fact implementing the security best practices to make sure that you are storing and processing card data securely.
13:12 After you've completed your SAQ the third step is to achieve a passing scan. Merchants that process, store or transmit cardholder data online are required to have an external network vulnerability scan performed by an approved scanning vendor or an ASV. SecurityMetrics is an ASV and there are a number of other ASV companies that can complete this for you. Basically it checks for vulnerabilities on your network or e-commerce website. You must achieve a passing status on your scan to be PCI compliant.
13:55 An example that we use a lot here at SecurityMetrics is we compare it to a security guard walking around a building. If you think of a security guard walking around testing all the doors making sure they are locked making sure that no windows are open so that someone could get inside, that's kind of what a what an external vulnerability scan is. It's testing to make sure that all your access points are secured and that you couldn't have some unauthorized access getting into your network from the outside and accessing your sensitive data.
14:37 Once you've completed your scan the next step is to report your compliance. If you do have a PCI vendor like SecurityMetrics, this is something we can help you out with. We can report your compliance to your merchant processor for you. This is something that is required annually. You are required to report your compliance to your you're acquiring bank or your merchant processor so that they can verify that you are maintaining the security best practices and that you are following the PCI-DSS.
15:23 Let’s briefly touch on some additional validation requirements. Depending on your business there are a few additional requirements that may or may not apply to you. First is an Internal Vulnerability Scan which is slightly different than an external vulnerability scan. This scan will actually check for vulnerabilities within your network. Then there is the Penetration Test. This is also similar to a scan but the pen test is a more exhaustive. It’s a live examination designed to exploit weaknesses in your system. Often this is referred to as ethical hacking. So you're hiring a hacker, an ethical hacker, to test your network and use the same techniques that a hacker would to see if they can break into your network. This is something we can do here at SecurityMetrics. If you go back to the example of a security guard walking around a building, the pen test would be more like a security guard trying to actually break into the building, trying to break windows, making sure that the windows are actually strong enough to withstand a simple breakage, trying to pick the locks. So the pen test is more in depth. We're really trying to break in and make sure that it is hacker-proof.
17:20 The next thing is Security Policy Implementation. Some of you may already have security policies and procedures and according to the PCI-DSS there are certain things that you need to include in your policies and procedures.
And then finally, PCI and Data Security Training. This is something we briefly touched on earlier. Employee negligence can often be the cause of a data breach. If your employees are being careless, if they are unaware of security best practices, then you could say you're leaving the door open or a window cracked to go back to that example again. But through training your employees on PCI and data security best practices, you can ensure that your employees are doing the best that they can do to maintain secure data at your business.
Another question we get a lot is, how often is PCI compliance validation required? PCI compliance is not just a one-time thing that you check off and then you're done, it is something that you should be thinking about on a daily basis. Again, going back to the employee training, if your employees are trained properly then they should be conducting business according to PCI standards. Something we say is, annual validation and daily compliance. So yes, you should be thinking about it on a day-to-day basis but you are required to actually report it annually to your Merchant processor.
19:14 Just another reminder on this, don't just check the compliance box. If you are going through and just checking the boxes and saying, sure I do that, yeah sure, I do that, then you are really leaving your system and your network open to hackers and you're leaving yourself vulnerable. So checkbox compliance is not is not what we want. Yes, you do want to report your compliance to your Merchant processor but the idea is not to just check the boxes as quick as possible, turning in your report and then forgetting about it. You want to make sure you're actually implementing the things outlined in the PCI-DSS because at the end of the day, that's what's really going to protect your business.
19:57 So how can SecurityMetrics help? We have many people in attendance today. I don't know whether you're all current SecurityMetrics customers or if you are new to the process and just learning about PCI for the first time but if this is something that you would like us to help you with this is our area of expertise and we are happy to help. We can provide you with the appropriate SAQ that you need to complete and we can help you with your scoping. We are an approved scanning vendor. We can also provide you with a managed firewall if that's something you need. We can provide you with employee trainings and we have a quality service guarantee.
20:42 If this is something that you need help with, feel free to reach out to us. We are going to be sending you an email in the next couple of days with this recording and the slide deck for you to review. Feel free to reply to our email and we’ll get back to you. SecurityMetrics can help you understand your PCI compliance. We help you discover the PCI requirements that are applicable to you based on your company's situation. Each company accepts and stores cards differently so there may be some requirements that apply to you that don't apply to to another business. And then we help you report your compliance once you've completed that process.
21:37 What will this cost? It's a question we hear all the time. If you're a small business, the SAQ is going to be between $50 and $200. You're looking at $100 to $150 for a vulnerability scan and if you need some trainings and policy development it's about $70 per employee. So for small businesses, you could be looking at something that's just a few hundred bucks. And again, that's not monthly that's an annual budget. So if this is something that you're just getting started with and you'd like to begin implementing at your business, it is something that can be very affordable. If a full on-site audit is something you need, we are equipped to do that as well. Those are some of our more expensive services listed to give you an idea of what we're qualified to do here at SecurityMetrics. We can help you.
23:01 Whether you're a Mom and Pop Shop or a large organization we have the expertise and the experience to help. So just to finish up here, this is a quick little quiz just for fun to see if you were paying attention. You can answer in your head on your own for a quick review. What was the leading cause of data breaches last year in 2017.
23:33 And the answer is B. hackers. That was the leading cause and through 2018 the trends seem to be very similar so we can expect hackers to continue to be the leading cause of data breaches in the near future. That's why securing your data is so important.
23:57 Question number two - Which SAQ is for merchants with a website that provides an iframe or URL that redirects consumers to a third party payment processor? The answer to this one is A., SAQ-A., the shortest SAQ. If that applies to you, this would be the SAQ that you need to complete. Our last question here is - How many requirements make up the PCI-DSS? And the answer here is C., 12. There are 12 requirements that make up the PCI-DSS. Within those 12 requirements there are a number of sub-requirements but there are 12 main categories of requirements that make up the PCI-DSS.
24:53 A final thought here, “For every lock, there is someone out there trying to pick it or break in.” David Bernstein. This is just something to leave you with. Remember there are bad people out there, people that want to access to your sensitive data. And because of the times we live in, almost every business is accepting credit cards in some form. And for every credit card that is accepted, data is stored somewhere and there's somebody out there that wants access to it. Remember, be careful and be secure and always be cautious as you are conducting business. Make sure that you are always following the PCI-DSS and implementing security best practices to avoid any data breach or data compromise at your business.
25:56 We're going to finish up here with a quick Q and A. We have 5 to 10 minutes depending on how many questions we have come in. Thanks for chatting in those questions. First question - Can vulnerability scans be performed if the web application will be hosted on a cloud service? The answer to this is no. At SecurityMetrics we currently do not have the capability to scan if it's hosted on a cloud. If you'd like more information on some vulnerability scanning and pentesting we can have someone reach out to you.
27:11 Another question here - Will you better explain the difference between a vulnerability scan and a pen test? A penetration test is a more exhaustive form of an external vulnerability scan. So while they are very similar the vulnerability scan is really just checking to make sure everything is secure whereas the pen test is actually trying to break in and exploit those weaknesses in the network.
27:52 Here is another question, Am I required to have an on-site audit to be PCI Compliant again? The answer is that this is dependent on your organization but typically if you're a small business an on-site audit is not required for PCI compliance. You'll just be required to complete that SAQ, pass your scan and report your compliance. So an on-site audit would not be required.
28:35 Okay well, that looks like all the time we have for questions for today. Thanks everyone for joining us on this webinar. We will be sending out this recording for your review. If you'd like to join us at our next PCI Basics webinar we will be hosting another one of these next month. We host one every month and you're always invited to attend. If there's someone else that could benefit from this information, feel free to invite them. Our next one will be in September and they're always on a Wednesday. So thanks everyone for joining us today and for being in attendance. We hope you were able to gain some information from this webinar and we look forward to working with you soon. All right. Thanks. Bye.
.svg)
