Transitioning from PCI DSS 2.0 to 3.1

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Transitioning from PCI DSS 2.0 to 3.1"

Transcription

1 Transitioning from PCI DSS 2.0 to 3.1 What You Need to Know April, 2015 Emma Sutcliffe, Director, Data Security Standards

2 About the PCI Council Founded in Guiding open standards for payment card security Development Management Education Awareness

3 PCI Core Security Standards Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

4 More PCI Standards and Programs PCI HSM Security Requirements PCI PIN Security Requirements Terminal Software Security Guidelines ATM Guidelines document PCI Card Production Mobile Best Practices Qualified Integrator and Reseller Tokenization Product Security Guidelines

5 The Standards Continually Evolve Feedback Research Threat Landscape

6 Feedback and Involvement Board of Advisors Executive Committee Participating Organizations Standards & Operations Committees Task Forces & Working Groups Special Interest Groups

7 Happy New Year! 1 st January 2015 PCI DSS v3.0

8 At a Glance PCI DSS v2.0 to v core security principles of PCI DSS remain Some new sub-requirements that impact PCI DSS security efforts Future implementation dates provided for more significant changes Guidance on business as usual Enhanced testing procedures to clarify level of validation expected for each requirement Aligned language between requirements and testing procedures for consistency Added Guidance Column to clarify intent of each requirement Separate from Report on Compliance (ROC) reporting template

9 New Requirements Effective July 1 st Develop web applications to protect against broken authentication and session management Service providers use a unique authentication credential for each customer Protect card-reading devices used to capture payment card data from tampering and substitution 11.3* Implement a methodology for penetration testing for service providers acknowledgement of responsibility * PCI DSS v2.0 requirements for penetration testing must be followed until v3 is in place.

10 PCI DSS v3.1

11 Types of Changes Change Type Clarification Additional guidance Evolving Requirement Definition Clarifies intent of requirement. Ensures that concise wording in the standards portrays the desired intent of requirements. Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. Changes to ensure that the standards are up to date with emerging threats and changes in the market.

12 PCI DSS v3.1 Key Themes Clarification & Guidance Evolving Requirements

13 Summary of Changes

14 PCI DSS v3.1 Change highlights Corrections to format and typographical errors Clarification of language to promote understanding & consistency Clarification & Guidance Updates to guidance column Removal of redundant language Updated compensating control example

15 PCI DSS v3.1 Change highlights Requirement 3.4 new testing procedure to address hashed and truncated PAN in the same environment Clarification & Guidance Requirement 6.6 updated testing procedure to clarify WAF alerts are immediately investigated Requirement 4.2 Included SMS as an example of end-user messaging technology and added guidance Emphasized requirements and testing procedures that apply only if the entity is a service provider

16 PCI DSS v3.1 Change highlights Testing Procedure clarification that both devices and device location be observed Requirement address concerns about daily log monitoring applying to out-of-scope systems Clarification & Guidance Requirement clarified penetration testing is to verify out-of-scope systems are segmented from systems in the CDE Testing Procedure 12.9 clarification for assessors to review templates rather than actual agreements

17 PCI DSS v3.1 Change highlights Evolving Requirements SSL and early TLS no longer considered to be strong cryptography PCI DSS Requirements 2.3, and 4.1

18 Addressing SSL in PCI DSS v3.1 Summary of approach SSL and early versions of TLS are not considered strong cryptography Future sunset date for using these protocols as a security control will be defined to allow time to migrate New implementations should not use SSL or early versions of TLS Existing implementations will need to have a documented plan to address risk mitigation during migration Allowance for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits

19 New and Existing Implementations What is a new implementation? What is an existing implementation?

20 POS POI Environments Why allowance for POI environments?

21 ASV Scans How do SSL vulnerabilities affect ASV scan results?

22 Additional Guidance Information Supplement Clarification on new vs. existing implementations Guidance on allowances for POS POI environments Suggestions/examples of risk mitigation techniques Suggestions/examples on alternative cryptographic options Webinar Available on PCI SSC website

23 Where Do I Begin with the Migration Process? Suggested steps: Identify all system components and data flows that use/support vulnerable protocols Identify business and/or technical need for using the vulnerable protocol Immediately remove or disable instances without a supporting business or technical need Identify technologies to replace the vulnerable protocols Document a migration project plan Implement risk reduction controls Perform migrations and follow change control procedures Update system configuration standards as migrations are completed

24 Understanding PCI DSS v3.1 Review Summary of Changes, FAQs and Information Supplement Work with PCI DSS coordinator, departments involved with payments, and your acquirer or payment brands to understand key questions Determine if SSL or early TLS is used in your environment Plan migration according to PCI DSS and supporting guidance

25 What Else? Supporting documents will also be updated Self-assessment Questionnaires (SAQs) Attestations of Compliance (AOCs) Reporting Templates PCI DSS Glossary of Terms, Abbreviations, and Acronyms Prioritized Approach FAQ Knowledgebase

26 PCI DSS v3.1 Key Themes Clarification & Guidance Evolving Requirements

27 Recent Bulletins & Webinars Shellshock GHOST Backoff

28 Tokenization Product Security Guidelines Technical best practices Security considerations include: Token generation How tokens are retained for use (e.g. in back office systems) and storage Secure implementation controls to address potential attack vectors and mitigate associated risks Just Released!

29 Special Interest Groups Recent Publication Penetration Testing Guidance Difference between vulnerability scans and penetration tests Qualifications of a penetration tester Penetration testing methodology Penetration test reporting guidance and template

30 Making Payment Security Business-as-Usual

31 Maintaining PCI DSS Compliance

32 Compliance vs. Security

33 Challenges of Maintaining Compliance Reliance on annual assessments Pressure to meet customer demands Failing to adapt to changes

34 Implementing PCI DSS into BAU Processes Monitor security control operation Detect and respond to security control failures Understand how changes in the organization affect security controls Conduct periodic security control assessments

35 BAU Guidance Resources Guidance within PCI DSS Information Supplement: Best Practices for Maintaining PCI DSS Compliance

36 Partner with the Council

37 Training Highlights PCI Awareness Training PCI Essentials PCI Professional Program (PCIP) Internal Security Assessor (ISA) Online! Qualified Security Assessor (QSA) Qualified Integrators and Resellers (QIR) Program Corporate Group Training Let Us Come To You! To learn more, visit:

38 The Formula for PCI Success + + = Technology Processes People Security

39 Maintaining Security is Running a Marathon, not a Sprint

40 Save the Dates Community Meetings 2015

41 Please visit our website at

42 Questions?

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1 Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 3.0 to 3.1 April 2015 Introduction This document provides a summary of changes from PCI DSS v3.0 to PCI DSS v3.1.

More information

Mobile Payment Security

Mobile Payment Security Mobile Payment Security Gill Woodcock 2014 About the PCI Council Founded in 2006 - Guiding open standards for payment card security Development Management Education Awareness PCI Security Standards Suite

More information

PCI Compliance 2012 - The Road Ahead. October 2012 Hari Shah & Parthiv Sheth

PCI Compliance 2012 - The Road Ahead. October 2012 Hari Shah & Parthiv Sheth PCI Compliance 2012 - The Road Ahead October 2012 Hari Shah & Parthiv Sheth What s the latest? Point-to-Point Encryption (P2PE) Program Guide Updated Solution Requirements and Testing Procedures for hardware-based

More information

PCI DSS: A Look Inside V3.2

PCI DSS: A Look Inside V3.2 PCI DSS: A Look Inside V3.2 11 May 2016 Janet Cookson Director, Data Sec & Third Party Risk, Visa Inc. Lester Chan Director, Merchant Security, Visa Inc. 1 PCI DSS: A Look Inside V3.2 11 May 2016 Disclaimer

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate. MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

What You Need to Know About PCI SSC. 2014 Guiding open standards for global payment card security

What You Need to Know About PCI SSC. 2014 Guiding open standards for global payment card security What You Need to Know About PCI SSC 2014 About the PCI Council Founded in 2006 - Guiding open standards for payment card security Development Management Education Awareness Expanding Global Representation

More information

Control Gap Commentary on the Changes to the PCI Data Security Standard v3.0. PCI DSS v3.0 2013-11-13. All Rights Reserved. Do Not Distribute.

Control Gap Commentary on the Changes to the PCI Data Security Standard v3.0. PCI DSS v3.0 2013-11-13. All Rights Reserved. Do Not Distribute. PCI DSS v3.0 Control Gap Commentary on the Changes to the PCI Data Security Standard v3.0 All Rights Reserved. Do Not Distribute. 2013-11-13 2013-11-13 Control Gap Inc. All Rights Reserved. Do Not Distribute.

More information

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319

More information

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED LESS IS MORE PCI DSS SCOPING DEMYSTIFIED Lauren Holloway PCI Security Standards Council Emma Sutcliffe PCI Security Standards Council Session ID: Session Classification: DSP-W21 Intermediate Who s Here

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment

More information

Data Security Basics for Small Merchants

Data Security Basics for Small Merchants Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided

More information

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM PCI Compliance PCI DSS v3.1 Dan Lobb CRISC Lisa Gable CISM Dan Lobb, CRISC o Introduction Dan has an MIS degree from the University of Central Florida. He began his career at Accenture and for the past

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0 February

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder

More information

Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens)

Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens) Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens) Frequently Asked Questions December 2015 Introductory Note This document addresses frequently

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information

PCI Compliance 3.1. About Us

PCI Compliance 3.1. About Us PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0 Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally

More information

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Agenda 1 2 3 Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines

More information

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance Emerging Technology Whitepaper Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance For Transmissions of Cardholder Data and Sensitive Authentication Data Program Guide Version

More information

PCI DSS 3.0 and You Are You Ready?

PCI DSS 3.0 and You Are You Ready? PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes

More information

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)

More information

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based

More information

Payment Card Industry (PCI) Point-to-Point Encryption

Payment Card Industry (PCI) Point-to-Point Encryption Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and : Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware) Version 1.1.1 July 2013

More information

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security

More information

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI

More information

North Carolina Office of the State Controller Technology Meeting

North Carolina Office of the State Controller Technology Meeting PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security

More information

PCI Security Standards Council

PCI Security Standards Council PCI Security Standards Council Bob Russo, General Manager 2013 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI Council Open, global forum Founded 2006 Guiding open standards for

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage

More information

The Relationship Between PCI, Encryption and Tokenization: What you need to know

The Relationship Between PCI, Encryption and Tokenization: What you need to know October 2014 The Relationship Between PCI, Encryption and Tokenization: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems,

More information

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0 October 2010 Document Changes Date Version Description October 1, 2008 1.2 October

More information

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015 PCI compliance: v3.1 Key Considerations Corbin Del Carlo Director, National Leader PCI Services October 5, 2015 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice

More information

INFORMATION TECHNOLOGY FLASH REPORT

INFORMATION TECHNOLOGY FLASH REPORT INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release

More information

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed

More information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key

More information

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are

More information

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 February 2014 V3.0 DESIGN DO CU MENT Table of Contents EXECUTIVE SUMMARY... 4 INTRODUCTION... 5

More information

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent

More information

PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University

PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University Session Etiquette Please turn off all cell phones. Please keep side conversations to a minimum. If you must

More information

How to Sell PCI 3.1 to Your Merchants. Matt Brown, Director of Business Development

How to Sell PCI 3.1 to Your Merchants. Matt Brown, Director of Business Development How to Sell PCI 3.1 to Your Merchants Matt Brown, Director of Business Development MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

So you want to take Credit Cards!

So you want to take Credit Cards! So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers For use PCI DSS Version 3.1 Revision

More information

New PCI Standards Enhance Security of Cardholder Data

New PCI Standards Enhance Security of Cardholder Data December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target

More information

Payment Card Industry (PCI) Penetration Testing Standard

Payment Card Industry (PCI) Penetration Testing Standard Payment Card Industry (PCI) Penetration Testing Standard Issued Date: 14 May 2015 Effective Date: 14 May 2015 Purpose This standard outlines penetration-testing requirements for the university's Payment

More information

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant Seccuris is Canada s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk. We are agile, innovative, flexible, and

More information

PCI Self-Assessment: PCI DSS 3.0

PCI Self-Assessment: PCI DSS 3.0 PCI Self-Assessment: PCI DSS 3.0 Achieving PCI DSS 3.0 Compliance with our PCI Self-Assessment tool (Author: Heinrich Van Der Westhuizen, Director) Requirement PCI DSS update Purpose/need Addressed 1 Have

More information

PCI Security Standards Council

PCI Security Standards Council PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI

More information

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,

More information

PCI PA-DSS Requirements. For hardware vendors

PCI PA-DSS Requirements. For hardware vendors PCI PA-DSS Requirements For hardware vendors PCI security services UL's streamlined PCI PA-DSS certification services get your product to market faster. UL is world leader in advancing safety. Through

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

Understanding the SAQs for PCI DSS version 3

Understanding the SAQs for PCI DSS version 3 Understanding the SAQs for PCI DSS version 3 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS

More information

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT PCI Compliance 101: Payment Card Industry Basics Data Security Standards Compliance Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions

More information

What a Processor Needs from a University to Validate Compliance

What a Processor Needs from a University to Validate Compliance What a Processor Needs from a University to Validate Compliance Lisa T. Conroy Merchant Compliance Manager Vantiv May 24, 2016 Disclosures The information included in this presentation is for information

More information

Third Party Risk Management Basics. Webinar. 26 February 2015

Third Party Risk Management Basics. Webinar. 26 February 2015 Third Party Risk Management Basics Webinar 26 February 2015 Stan Hui Payment System Security Oscar Munoz Third Party Risk Roxanne Baumann Third Party Risk Disclaimer The information or recommendations

More information

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance

More information

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage

More information

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session

More information

Adyen PCI DSS 3.0 Compliance Guide

Adyen PCI DSS 3.0 Compliance Guide Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers Version 3.0 February 2014 Document

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document

More information

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing Contents PCI DSS Quick Reference

More information

PCI DSS Gap Analysis Briefing

PCI DSS Gap Analysis Briefing PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

Payment Card Industry (PCI) Data Security Standard Report on Compliance. Template for Report on Compliance for use with PCI DSS v3.0. Version 1.

Payment Card Industry (PCI) Data Security Standard Report on Compliance. Template for Report on Compliance for use with PCI DSS v3.0. Version 1. Payment Card dustry (PCI) Data Security Standard Report on Compliance Template for Report on Compliance for use PCI DSS v3.0 Version 1.0 February 2014 Document Changes Date Version Description February

More information

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the

More information

The PCI Security Standards Council. Jeremy King European Director

The PCI Security Standards Council. Jeremy King European Director The PCI Security Standards Council Jeremy King European Director Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,

More information

Section 1: Assessment Information

Section 1: Assessment Information Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the service provider s self-assessment with the Payment Card Industry Data

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry Payment Application Data Security Standard (PA-DSS) FAQs for use with ROV Reporting Instructions for PA-DSS version 2.

Payment Card Industry Payment Application Data Security Standard (PA-DSS) FAQs for use with ROV Reporting Instructions for PA-DSS version 2. Payment Card Industry Payment Application Data Security Standard (PA-DSS) FAQs for use with ROV Reporting Instructions for PA-DSS version 2.0 ROV Reporting Instructions for PA-DSS v2.0 Frequently Asked

More information

PCI DSS Compliance. 2015 Information Pack for Merchants

PCI DSS Compliance. 2015 Information Pack for Merchants PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends

More information

PCI DSS v3.0. Compliance Guide

PCI DSS v3.0. Compliance Guide PCI DSS v3.0 Compliance Guide December 2013 PCI DSS v3.0 Compliance Guide What is PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business.

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

MITIGATING LARGE MERCHANT DATA BREACHES

MITIGATING LARGE MERCHANT DATA BREACHES MITIGATING LARGE MERCHANT DATA BREACHES Tia D. Ilori Ed Verdurmen January 2014 1 DISCLAIMER The information or recommendations contained herein are provided "AS IS" and intended for informational purposes

More information

PCI DSS in Essence Through practical examples. September, 2016 Septia Academy

PCI DSS in Essence Through practical examples. September, 2016 Septia Academy PCI DSS in Essence Through practical examples September, 2016 Septia Academy PCI DSS in Essence Training program specification Introduction The Payment Card Industry Data Security Standard s requirements

More information

PCI DSS 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS

PCI DSS 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS Introduction 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS This document from the PCI Security Standards Council (PCI SSC) is designed to provide a transparent runway to the introduction of the new

More information

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

More information

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy Payment Card Industry - Data Security Standard () Security Policy Version 1-0-0 3 rd February 2014 University of Leeds 2014 The intellectual property contained within this publication is the property of

More information

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council Version 1.0 Date: Author: PCI Security Standards Council Executive Summary The time to migrate is now. For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used

More information

The State of Security and Compliance for E- Commerce and Retail

The State of Security and Compliance for E- Commerce and Retail The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against

More information

Creating, Developing and Instituting an Effective Incident Response Plan. Webinar. 15 April 2015

Creating, Developing and Instituting an Effective Incident Response Plan. Webinar. 15 April 2015 Creating, Developing and Instituting an Effective Incident Response Plan Webinar 15 April 2015 Stan Hui Payment System Security Stephen J. Kopeck Verizon Visa Public Disclaimer The information or recommendations

More information

PCI Security Standards Council

PCI Security Standards Council PCI Security Standards Council Ralph Poore, Director, Emerging Standards 2013 About PCI Emerging Technologies OWASP and Mobile Guidelines About PCI About the PCI Council Open, global forum Founded 2006

More information