Legal Issues Week 8– PCI – Payment Card Industry DSSData Security Standard

Gary A Bannister – FCMA, AICPA, CGEIT

Learning Objectives

An basic understanding of PCI and its impact on Information security.

How it is used by the courts. The difference between best practice

compliance verses legal compliance.

Why PSI

The E-commerce Business Need for PCI

Of approximately 650,000 complaints about fraud that the US Federal Trade Commission received each year in the period 2004 – 2006, identity theft was the main complaint 35% - 36% of the time

21% of banking institutions have either suffered a security breach the past two years, or don’t know if they have. Another 35% have been victims of a phishing attack. { * State of Information Security Survey 2008 www.bankinfosecurity.com}

Understanding PCI There are 3 standards:

PCI data Security Standard – PCIDSS Core standard for merchants and processors. It is for protecting

cardholder data

Payment Application data security Standard – PA DSS This is for software developers who sell commercial

applications for accepting and processing card data

PIN Entry device Security requirements –PED This is for manufacturers of payment card devices

## We will focus on PCI DSS

The Standards Manager PCI security Standards Council founded in

2006. Founded by master Card, VISA, Discover, Amex They share equal responsibility in Council

governance Others that participate include merchants,

banks, hardware and software vendors and other technical and legal working groups

Crucial Roles in Compliance Card Brand Compliance programs

Each of the card company brands have adopted the standard but they have some small variations in how they implement.

Qualified Assessors The council qualifies two kinds of assessors:

The QSA – Qualified Security assessor The QSA is a consultant who assesses an organisation’s compliance with

the standard. ASV – Approved Scanning Vendor

They validate compliance with the standard’s external network scanning requirements.

Self-Assessment Questionnaire Some merchants are able to self-assess, primarily for levels 2 to 4

merchants.

How a credit Card payment Process works

Authorisation Merchant requests & receives authorisation Many points of vulnerability that could expose the cardholder data

to Unauthorised access

Clearing The acquirer and issuer exchange information about the purchase

Settlement The merchant’s bank pays the merchant for the card holder

purchase and the cardholder’s bank bills the cardholder or debits the cardholder’s account.

Issues Is PCI the law?

Only in Minnesota under Statue 365E.64 Legislators in at least 10 states thought Minnesota was a

good idea, and created bills have their own but they never passed

Proposals also made to congress but no bills were passed. The view from most law makers is that anything passed

would conflict with PCI DSS as it stands? Other critics say that making it law, turns the PCI Security

Standards Council and the card companies into a quasi-legislative, quasi judicial bodies with power to set regulations and punishments yet be accountable to no one

So for now PCI Is not the law but is enforceable under private contractual conditions stipulated by each of the card brands.

Issues High Cost Vendor backed standards are difficult

to maintain & sustain. Judges have looked at best practice

and along side ISO 27002 look at PCI. The credit card companies demand

compliance if business & e commerce want to use their credit cards.

Questions?