Hello and welcome to CyberRays. Intermediate Days Security Course PC. I, continued Albie instructor Dustin Perry
in today's video. We're going to pick up where we left off, then move going over P. C. I.
First, we're going to discuss the PC I three step process.
After that, we're going to go over the variance compliance levels for PC I. And lastly, we'll discuss the costly penalties that could apply if you fail to secure PC I data. So let's get started.
We're going to start this lesson with just a quick quote on P C. I from QSR Quick Service Restaurant magazine.
The security benefits associated with maintaining PC I compliance are vital to the long term success of all merchants who process card payments.
This includes continual identification of threats and vulnerabilities that could potentially impact the organization.
Most organizations never fully recover from data breaches because the loss is greater than the data itself,
and that is definitely true.
A lot of businesses have had to close their doors because of a PC I data breach.
So it's definitely important that we take this stuff seriously and always try and and meet or exceed these compliance. Um
as we get go through it
so the PC I three step process has noticed on the screen. It is a cycle. So once you finish, you kind of keep going around and never ends. The first step in the PC I three set process is assessed.
This is where you will identify a cardholder data
taken inventory of any I T assets that includes registers, pos systems and even the networks that they're on.
You also want to go over business processes for card payment card processing and analyze them for vulnerabilities. Make sure that everything makes sense.
Once you're done assessing, you'll move on to the remediation stage. And this is where you actually fix these vulnerabilities and eliminate the storage of cardholder data. Unless again, it's absolutely necessary. If you can. You never want a story any of that data that just adds unnecessary risk.
Once you're finished, remediating the vulnerabilities, you'll move on to the reporting stage,
and this is where you'll compile and summit any required reports to the appropriate acquiring bank and card brands.
Then you start all over assess, look for more vulnerability, see where you can improve
and again start all over.
Ah, qualified security Ancestor is a data security firm that is qualified by the PC I counsel to perform on site PC I. Data Security Standard Assessments.
The assessor will verify all technological information given by the merchant or service provider,
use their own independent judgment to confirm the standard has been met or has failed to meet,
provide support and guidance during the compliance process So they're they're toe to help you get compliant.
They are hard to be on site for the duration of the assessment,
They need to adhere to the PC I data security standard assessment procedures. They've got their own procedures that they have to follow.
Validate the scope of the assessment. So that's basically making sure that they are including everything that touches that PC I Data sets the networks that these devices air on the physical devices themselves. In the business practices
evaluate any compensating controls. Sometimes it's impossible to meet a certain requirement, but there may be something you can do to kind of help make that requirement.
Um, count basically,
and then the assessor will also produce the final report on compliance so they'll give you the stamp of approval and approved scanning. Bender is a data security firm that uses a scanning solution to determine whether or not the customer meets the external vulnerability scanning requirement.
Approved scanning vendors are qualified by the PC I SSC or Security Standards Council, to perform extra network and system scans as required by the PC I data security standard.
And these are typically your, um,
Elektronik vulnerability assessments.
You can find a list of qualified security sensors and skinning vendors online.
Is that a quick quiz question?
How does the PC I three step process work?
This is more of a cycle than a process, but it's definitely important to understand all three steps.
Yeah, the first up is assessed. You want to identify any cardholder data or UM,
A I T assets and business processes for payment card processing and analyze them for vulnerabilities,
for the next step is remediate.
You want to fix these vulnerabilities and limiting the storage of cardholder data.
Lastly, you will report compiling and submitting any required reports to the appropriate acquiring bank and card brands.
Once you finish that, you'll start all over and get back into that assess phase then remediated,
reports are the official method by which merchants on other entities report their compliance satis with the PC I data security standard to their respective acquiring financial institutions or payment card brands.
Quarterly submission of a report for network scanning may also be required, so this depends on which level you fall into which will get into the compliance levels. Next
individual payment Guard brand. Some may require submission of other documentation. This is where you really need to see their websites for informations. You need to check on who your payment brands are
and make sure meeting their standards as well.
Depending on the payment card brand requirements, merchants and service providers may need to submit A s a que or a self assessment questionnaire for self assessments or a report on compliance for any on site assessments.
There are two components to the South Assessment questionnaire.
The 1st 1 is a set of questions that correspond to PC I. D. S s requirements designed for service providers and merchants,
and the second part is an access station of compliance or basically a certification that you are eligible to perform and have performed the appropriate self assessment,
typically inappropriate at a station will be packaged with the questionnaire that you select.
There are four main levels of PC I compliance, and all of these levels are based on the amount of transactions your organization processes each year.
So merchant level one is any merchant, regardless of acceptance. Channel processing over six million visa transactions per year.
Any merchant that visa at its sole discretion determine should meet level one merchant requirements to minimize the risk to the visa system.
Any merchant, regardless of acceptance. Channel processing one million to six million visa transactions per year
Level. Three. Any merchant processing 20,000 to 1 million V c e commerce transactions per year
and level forest. Any merchant processing fewer than 20,000 v c e commerce transactions per year in all other merchants, regardless of acceptance channel processing up to one million transactions per year.
So if you are a level four merchant
you suffer a PC, I data breach
any merchant that has suffered a breach
can be escalated to a higher validation level, so if this year 2020 your level four later in the year get a data breach
visa could move you up to Level three requirements for next year.
The payment brands may at their discretion fine acquiring banks 5000 to $100,000 per month for PC I compliance violations.
The banks typically will pass these finds along until eventually it hits you the merchant.
Furthermore, the bank will also most likely terminate your relationship or increase any fees like transaction fees.
Normally, penalties are not openly discussed or widely publicized, but they can definitely be catastrophic. Toe a small business.
It's important to be familiar with your merchant account agreement, which should kind of outline your exposure.
There's a lot of potential liabilities. In addition to the monetary fines.
Lost confidence. Many customers will go to other merchants after a certain one beats a or
diminished sales. Because you're losing customers, you're obviously gonna lose sales.
There's typically an additional cost of reissue restoring new payment cards. This is more for like a bank or anybody that offers that are on payment cards,
fraud losses, typically the responsible to pay for any losses due to fraud as well.
Then again, I mentioned you can move to higher costs. You can change levels about compliance levels, which could
include MAWR costs. You may need to get new equipment toe help secure your data.
Of course, you've got your legal costs, settlements and judgements so someone could sue you for losing their data,
the fines and penalties and we kind of went over these a little bit. They can range from 5000 to $100,000 per month, and it really just depends on what happened.
Termination of ability to Accept Payment Cards If this has happened multiple times, they may just say you're not allowed to accept payment cards anymore. But it means you're an only cash business in a digital world.
Lost jobs This is typical. If a company suffers a PC, I data breach thesis. So CEO, CEO or any
dependant positions on those may be fired and lose their job and doesn't look good on your resume.
And lastly, your company could go out of business. All this can just be too much for a lot of companies, and it happens all the time.
So in today's video, we finish our discussion on PC I. We went over the PC I three step process assessed for Mediate and Report. We went over the basic compliance levels required and some of the penalties that could occur if you fail to meet the compliance levels
up next, we've got Ph I.