Before we go into what the NetWatcher PCI-DSS Services provides let's review what you need to know as an SMB about PCI DSS compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations (merchants) that handle branded credit cards from the major card brands including Visa, MasterCard, American Express, Discover, and JCB.
PCI-DSS is not a law. The PCI Standards is mandated by the card brands and run by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
You can read the entire regulation here.
There are 12 requirements that have to be met to be considered PCI DSS compliant. They are as follows:
Merchants fall into one of 4 categories based on size:
You can find the Self-Assessment Questionnaire (SAQ) here.
There are hefty fines for non-compliance. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. ( more )
Even if a merchant is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant.
- $50-$90 fine per cardholder data compromised
- Suspension of credit card acceptance by a merchant’s credit card account provider
- Loss of reputation with customers, suppliers, and partners
- Possible civil litigation from breached customers
- Loss of customer trust which effects future sales
So if you are a small-to-medium sized business (a Level 4 merchant) what do you have to do in order to satisfy the PCI DSS v3.0 requirements?
- Determine which Self Assessment Questionnaire (SAQ) your business should use to validate compliance. See the chart.
- Complete the Self-Assessment Questionnaire according to the instructions it contains.
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
To see all of the SAQ doc refer to (here ).
Note that Penetration testing is a must for version 3.0. The PCI DSS does indeed require all merchants to conduct penetration testing to ensure the security of their cardholder data environments. You will find more info here on penetration testing and PCI 3.0. While most of version 3.0 goes into effect beginning 2015, section 11.3 which covers penetration testing is not effective until July 15, 2015. So until that date, you can continue to follow version 2.0 guidelines for penetration testing.
Keep in mind that there is also a very big difference between vulnerability testing and penetration testing that you need to be aware of... here is a chart that can help:
As an SMB merchant why should you care?
Because 31% of Cyber Attacks are aimed at Small Business -- Symantec Internet Security Report and greater than 50% of small-to- medium sized businesses had experienced at least one data breach-- Ponemon Institute
So you might be wondering how many of these breaches are happening in companies that have to maintain PCI Compliance. One source to keep an eye on is the Heritage.org research reports . Here are a few from 2014:
- Target. In January, Target announced an additional 70 million individuals’ contact information was taken during the December 2013 breach, in which 40 million customer’s credit and debit card information was stolen.
- Neiman Marcus. Between July and October 2013, the credit card information of 350,000 individuals was stolen, and more than 9,000 of the credit cards have been used fraudulently since the attack. Sophisticated code written by the hackers allowed them to move through company computers, undetected by company employees for months.
- Michaels. Between May 2013 and January 2014, the payment cards of 2.6 million Michael’s customers were affected. Attackers targeted the Michaels POS system to gain access to their systems.
- Aaron Brothers. The credit and debit card information for roughly 400,000 customers of Aaron Brothers, a subsidiary of Michaels, was compromised by the same POS system malware.
- P.F. Chang’s China Bistro. Between September 2013 and June 2014, credit and debit card information from 33 P.F. Chang’s restaurants was compromised and reportedly sold online.
- Home Depot. Cyber criminals reportedly used malware to compromise the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and Canadian outlets.
- Goodwill Industries International. Between February 2013 and August 2014, information for roughly 868,000 credit and debit cards was reportedly stolen from 330 Goodwill stores. Malware infected the chain store through infected third-party vendors.
- SUPERVALU. SUPERVALU was attacked between June and July, and suffered another malware attack between late August and September. The first theft included customer and payment card information from some of its Cub Foods, Farm Fresh, Shop ‘n Save, and Shoppers stores. The second attack reportedly involved only payment card data.
- Bartell Hotels. The information for up to 55,000 customers was reportedly stolen between February and May.
- Dairy Queen International. Credit and debit card information from 395 Dairy Queen and Orange Julius stores was compromised by the Backoff malware.
Many small merchants believe that installing a PA-DSS validated payment processing application from a 3rd party satisfies all of the PCI-DSS requirements and it does not... Although installing a good payment processing application is a very important part of PCI-DSS compliance it is only one element of PCI-DSS compliance. The PCI-DSS contains more than 200 individual requirements, most of which have nothing to do with POS or PMS products. And keep in mind that the role the 3rd party can play if you are designated as non-compliant is limited to answering technical questions about its products for either the QSA or law enforcement, and reviewing the forensic report. The 3rd party is not responsible for any customer fines, penalties, charge backs etc. in the event that you are compromised.
Many also believe that the new EMV Chip and PIN technology will help protect the card data collected by POS systems. However, it’s not a silver bullet in the effort to protect sensitive data from compromise and solve the POS problem completely. There are still other areas within the typical payment systems where both card and customer data could be exposed. For example, many of the recent large-scale POS system breaches targeted the software that was responsible for processing the credit card transactions as well as collecting customer information such as user IDs, and PII. Many organizations still house a treasure trove of customer and corporate data on their back-end processing systems and servers that will still be prime targets. Criminals may also turn to other techniques to use the technology shift to their advantage. An example of such comes in the recent surge of “replay” attacks where data thieves were using recently stolen credit card information to spoof transactions on the credit card networks as chip-enabled transactions.
So how can NetWatcher's PCI-DSS Service help you with your PCI DSS Version 3.0 compliance as a SMB?
Specifically we help you with the following mandates:
- 5.1.1 – Monitor zero day attacks not covered by antivirus
- 6.1 – Identify newly discovered security vulnerabilities
- 6.5 – Have processes in place to protect applications from common vulnerabilities such as injection flaws, buffer overflows and others
- 6.6 – Address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks
- 10.2 – Automated audit trails
- 10.3 – Capture audit trails
- 10.5 – Secure Logs
- 10.6 – Review logs at least daily
- 10.7 – Maintain logs online for three months
- 10.7 – Retain audit trail for at least one year
- 11.2 – Perform network vulnerability scans by ASV at least quarterly or after any significant network change (Includes 11.2.1, 11.2.2 and 11.2.3)
- 11.4 – Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network