PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.
|
|
- Barnaby Franklin Dixon
- 8 years ago
- Views:
Transcription
1 PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc.
2 Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information 2
3 Income Easier What does this have to do with business? The decision to take cards was made in the business office. The contracts were signed by the business office. The part in the contract about always being PCI compliant, was signed by the business office. 3
4 4 What you signed up for.
5 Business Office Business Need Business Solution Business Responsibilities With help from the IT Department With help from the merchants and their staff 5
6 6 VERSION 2.0 TO 3.1 CHANGES
7 7 New SAQ Validation Types
8 New SAQ Validation Types SAQ Validation Type A A-EP B B-IP C C-VT Description Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage # of Questions v3.0 Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V No No 139 NEW Yes Yes No No 83 NEW Yes No Yes Yes No No D-MER All other SAQ-eligible merchants Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35 NEW No No 8
9 New SAQ Validation Types SAQ Validation Type A Description Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage 9
10 New SAQ Validation Types SAQ Validation Type A-EP Description E-commerce merchants re-directing to a thirdparty website for payment processing, no electronic cardholder data storage Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 NEW Yes Yes 10
11 New SAQ Validation Types SAQ Validation Type B Description Merchants with only imprint machines or only standalone dialout payment terminals: No e-commerce or electronic cardholder data storage 11
12 New SAQ Validation Types SAQ Validation Type B-IP Description Merchants with standalone, IPconnected payment terminals: No e- commerce or electronic cardholder data storage Change # from v2.0 Penetration Test ASV Scan Required Required v3.0 V3.0 NEW Yes No 12
13 New SAQ Validation Types SAQ Validation Type C Description Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage ASV Scan Required v3.0 Yes Penetration Test Required V3.0 Yes 13
14 New SAQ Validation Types SAQ Validation Type C-VT Description Merchants with webbased virtual payment terminals: No e- commerce or electronic cardholder data storage ASV Scan Required v3.0 No Penetration Test Required V3.0 No 14
15 New SAQ Validation Types SAQ Validation Type D-MER Description All other SAQ-eligible merchants Penetration Test ASV Scan Required Required v3.0 V3.0 Yes Yes 15
16 New SAQ Validation Types SAQ Validation Type D-SP Description SAQ-eligible service providers Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 NEW Yes Yes 16
17 New SAQ Validation Types SAQ Validation Type P2PE Description Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V3.0 NEW No No 17
18 New SAQ Validation Types SAQ Validation Type A A-EP B B-IP C C-VT Description Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage Merchants with standalone, IP-connected payment terminals: No e-commerce or electronic cardholder data storage Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage # of Questions v3.0 Change # from v2.0 ASV Scan Required v3.0 Penetration Test Required V No No 139 NEW Yes Yes No No 83 NEW Yes No Yes Yes No No D-MER All other SAQ-eligible merchants Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e-commerce or electronic cardholder data storage 35 NEW No No 18
19 PCI DSS 3.1 Goals The PCI SSC is pushing the concept of ongoing or continuous compliance management. o Monitoring of security controls o Detect and respond to failures in security controls o Review all changes to the environment o Organization structure changes o Periodic reviews o Annual hardware/software review 19
20 PCI DSS 3.1 Scope and Segmentation It s important to review the guidance on how to accurately determine the scope of a PCI DSS engagement and the intent of segmentation. Successfully identifying the scope of your environment is always the key to a successful PCI DSS assessment. Scope Identification Process Connected Systems = inscope What is your ongoing process? Connected to the CDE and have the ability to access cardholder data. Identifying cardholder data outside of the CDE. Systems that have the ability to impact the security of the CDE
21 PCI DSS 3.1 Critical Changes to Penetration Testing Expanded Penetration Testing Expectations The penetration testing requirements are much more detailed and now require testing to validate segmentation technologies (best practice until July, 2015).
22 PCI DSS 3.1 Flexible Changes to Existing Requirements Requirement 6.6 Flexibility Added options to the interpretation of this requirement by changing web-application firewall to automated technical solution that detects and prevents web-based attacks. Password Complexity Flexibility Password complexity and strength requirements have been combined into a single requirement and the PCI SSC has now allowed for some flexibility in meeting these requirements.
23 PCI DSS 3.1 Critical Changes to Logging Requirements New Logging Events Enhanced logging requirement to include stopping or pausing of the audit logs Log Reviews for Critical Daily or continuous log reviews have been split into two categories: Critical systems and everything else. New Logging Events Enhanced logging requirement to include stopping or pausing of the audit logs. Log Reviews for Critical Components Daily or continuous log reviews have been split into two categories: Critical systems and Everything else.
24 PCI DSS 3.1 Critical Changes to Developer Training 6.5.c Sensitive Data in Memory Organizations must now demonstrate how they train their developers to understand how sensitive data is handled in memory.
25 PCI DSS 3.1 New Requirements - Immediate impact Requirement Dataflow diagrams. Requirement 2.4 Inventory of all in-scope system components. Requirement Risk-based malware review for systems not commonly affected by malicious software. Requirement b Termination processes must include all physical authentication methods in addition to systems.
26 PCI DSS 3.1 New Requirements - Immediate impact Requirement 8.6.x New requirements and testing procedures around the use of physical Authentication Mechanisms assigned to individuals. Requirement 9.3 New requirement to control issuing physical access to sensitive areas for onsite personnel. Requirement New requirement to maintain information about which PCI DSS requirements are managed by the service provider.
27 PCI DSS 3.1 Phased Requirements These requirements were considered best practices only until June 30, 2015 at which time they became mandatory for all 3.1 assessments. Requirement Broken authentication and session management. Requirement New requirement for service providers to use different authentication credentials for access into different customer environments. Requirement(s) 9.9.x New (merchant) requirements to protect point-of-sale devices that capture payment card data from tampering or unauthorized modification or substitution.
28 PCI DSS 3.1 More Phased Requirements Requirement 11.3.X Expanded requirements/expectations for penetration testing controls. PCI DSS v2.0 requirements for penetration testing may be followed until July Requirement 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data.
29 29 Questions about the changes
30 What is Chip and Pin or EMV? EMV, which stands for Europay, MasterCard, and Visa, is a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale, (POS) terminals, for authenticating credit and card transactions. 30
31 Contact Cards and RFD Cards Contact cards communicate with the reader over a contact plate. The plate must come into contact with the terminal usually by inserting the card into a slot in the terminal. The card must remain inserted for the duration of the transaction. Contactless cards communicate via radio frequency (RF) and must contain an antenna. Dual interface chip cards combine both technologies and can communicate either way. 31 Source: Visa U.S. Merchant EMV Chip Acceptance Readiness Guide
32 What does this mean to you The benefit to EMV is that it is almost impossible to create a fake or fraudulent card Card produces a one-time use code for each transaction It takes special equipment to read the card Over 80 percent of fraudulent transactions are Card Present transactions By using EMV those transactions shouldn t take place 32
33 October 15, 2015 Liability Shift If a magnetic strip card comes in and is read with a magnetic strip reader then, if the purchase is a counterfeit transaction, the merchant is generally not liable, just like today. 33
34 October 15, 2015 Liability Shift If a EMV card comes in and is read with a Magnetic stripe only POS terminal then, if the purchase is a counterfeit transaction, the merchant is solely liable. 34
35 October 15, 2015 Liability Shift If a EMV card comes in and is read with an activated EMV terminal then, if the purchase is a counterfeit transaction, the issuer will be liable. 35
36 Double Down If you are going to invest in the equipment, consider the business case of also buying equipment that can handle Point to Point Encryption technology. The Chip and Pin or what is really Chip and Signature here in the US protects the card and the card only P2PE protects the cardholder data as it passes through your network. 36
37 Predictions 70% of U.S. credit cards and 41% of debit cards will be EMV-enabled by the end of 2015 The demand for new equipment will increase as the deadline gets closer. Many that order late will be waiting on equipment when the deadline comes Most will think you can just plug it in and go without the proper testing with the processor. They will be wrong. 37
38 Thank you Jon Bonham 38
PCI Risks and Compliance Considerations
PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction
More informationCredit Card Processing, Point of Sale, ecommerce
Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits
More informationPCI DSS v3.0 SAQ Eligibility
http://www.ambersail.com Disclaimer: The information in this document is provided "as is" without warranties of any kind, either express or implied, including, without limitation, implied warranties of
More informationTop PCI 3.0 Challenges for Chain Merchants. March 11, 2015
Top PCI 3.0 Challenges for Chain Merchants March 11, 2015 Webinar Program Wednesday, March 11, 2015 Presentations 3PM 3:45PM Eastern Questions & Answers 3:45PM 4:00PM Eastern Agenda Cybercrime PCI DSS
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationPCI Compliance 3.1. About Us
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
More informationPCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard
PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationOKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE
OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE TRACIE BROWN ASSOCIATE DIRECTOR OF ADMINISTRATIVE SERVICES MIKE PEASTER INFORMATION TECHNOLOGY MANAGER THE QUESTIONS
More informationPCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com
PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationCorbin Del Carlo Director, National Leader PCI Services. October 5, 2015
PCI compliance: v3.1 Key Considerations Corbin Del Carlo Director, National Leader PCI Services October 5, 2015 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice
More informationEMV and Small Merchants:
September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
More informationWhat Merchants Need to Know About EMV
Effective November 1, 2014 1. What is EMV? EMV is the global standard for card present payment processing technology and it s coming to the U.S. EMV uses an embedded chip in the card that holds all the
More informationUnderstanding the SAQs for PCI DSS version 3
Understanding the SAQs for PCI DSS version 3 The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS
More informationEMV and Restaurants: What you need to know. Mike English. October 2014. Executive Director, Product Development Heartland Payment Systems
October 2014 EMV and Restaurants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service marks
More informationPCI DSS 3.0 and You Are You Ready?
PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPCI DSS Gap Analysis Briefing
PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationPCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
More informationHow To Comply With The New Credit Card Chip And Pin Card Standards
My main responsibility as a Regional Account Manager for IMD is obtain the absolute lowest possible merchant fees for you as a business. Why? The more customers we can save money, the more volume of business
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session
More informationHow Secure is Your Payment Card Data?
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationThoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director
Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Agenda 1 2 3 Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More informationNew PCI Standards Enhance Security of Cardholder Data
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPayment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.
Payment Methods The cost of doing business Michelle Powell - BASYS Processing, Inc. You ve got to spend money, to make money Major Industry Topics Industry Process Flow PCI DSS Compliance Risks of Non-Compliance
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationUnderstand the Business Impact of EMV Chip Cards
Understand the Business Impact of EMV Chip Cards 3 What About Mail/Telephone Order and ecommerce? 3 What Is EMV 3 How Chip Cards Work 3 Contactless Technology 4 Background: Behind the Curve 4 Liability
More informationICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!
ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone! Presenters: Cliff Gray Senior Associate of The Strawhecker Group Jon Bonham CISA, Coalfire The opinions of the contributors
More informationWhat is EMV? What is different?
U.S. consumers are receiving new debit and credit cards with embedded chip technology that better stores and protects cardholder information. These new chip cards are part of the new card standard, Europay,
More informationPCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP
PCI Overview Lee Buttke Director of Consulting QSA, CPISM, CISSP About NetSPI Security and compliance consulting solutions for highly regulated markets QSA, PA-QSA, and ASV Higher Education and Retail/Payment
More informationEMV EMV TABLE OF CONTENTS
2 TABLE OF CONTENTS Intro... 2 Are You Ready?... 3 What Is?... 4 Why?... 5 What Does Mean To Your Business?... 6 Checklist... 8 3 U.S. Merchants 60% are expected to convert to -enabled devices by 2015.
More informationContinuous compliance through good governance
PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationTHE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP
THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP WHERE IS THE U.S. PAYMENT CARD INDUSTRY NOW? WHERE IS IT GOING? Today, payment and identification cards of all types (credit
More informationFall Conference November 19 21, 2013 Merchant Card Processing Overview
Fall Conference November 19 21, 2013 Merchant Card Processing Overview Agenda Industry Definition Process Flows Processing Costs Chargeback's Payment Card Industry (PCI) Guidelines for Convenience Fees
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
More informationNEWS BULLETIN 2015-16
NEWS BULLETIN Maine Automobile Dealers Association 180 Civic Center Drive P. O. Box 2667 Augusta, Maine 04338-2667 DIAL 623-3882 e-mail:info@maineautodealers.com FAX 623-2318 DISTRIBUTION General Manager
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationMaking Sense of the PCI Puzzle
Making Sense of the PCI Puzzle Sponsored By: A guide to organizing your merchant accounts on campus Contributors from Coalfire Systems, Inc. Joseph Tinucci Justin Orcutt Eva Araya 1 The Big Picture Navigating
More informationSellWise User Group. Thursday, February 19, 2015
SellWise User Group Thursday, February 19, 2015 Slides and recording posted on scouting.org/financeimpact Look on the Council Fiscal Management Tab, then look at the bottom left for Sellwise Support/User
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationEMV and Chip Cards Key Information On What This Is, How It Works and What It Means
EMV and Chip Cards Key Information On What This Is, How It Works and What It Means Document Purpose This document is intended to provide information about the concepts behind and the processes involved
More informationPCI DSS Presentation University of Cincinnati
PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI
More informationSecurity & Encryption in Healthcare Payments PCI DSS Technical Assessment White Paper
Security & Encryption in Healthcare Payments PCI DSS Technical Assessment White Paper June 05 White Paper Author: Andrey Sazonov CISA, QSA, PA-QSA asazonov@coalfire.com Nick Trenc QSA, PA-QSA nick.trenc@coalfiresystems.com
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationSales Rep Frequently Asked Questions
V 02.21.13 Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February 2013 - Updated In response to a national rise in data breaches and system compromises, OMEGA Processing
More informationUniversity Policy Accepting Credit Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationUC Riverside PCI Update and Training October 29, 2014. Rick Norman, QSA Christopher Dosta Coalfire Systems, Inc.
UC Riverside PCI Update and Training October 29, 2014 Rick Norman, QSA Christopher Dosta Coalfire Systems, Inc. Agenda Part I IT Security in the News POS Malware Threats EMV vs. Cardholder Security PCI
More informationPCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University
PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University Session Etiquette Please turn off all cell phones. Please keep side conversations to a minimum. If you must
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationEMV Frequently Asked Questions for Merchants May, 2014
EMV Frequently Asked Questions for Merchants May, 2014 Copyright 2014 Vantiv All rights reserved. Disclaimer The information in this document is offered on an as is basis, without warranty of any kind,
More informationEMV : Frequently Asked Questions for Merchants
EMV : Frequently Asked Questions for Merchants The information in this document is offered on an as is basis, without warranty of any kind, either expressed, implied or statutory, including but not limited
More informationCard Network Update Chip (EMV) Acceptance in the United States At-A-Glance
Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance Allegiance Merchant Services is committed to assisting you in navigating through the various considerations that you may face
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationCredit Card Processing Overview
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationEMV FAQs. Contact us at: CS@VancoPayments.com. Visit us online: VancoPayments.com
EMV FAQs Contact us at: CS@VancoPayments.com Visit us online: VancoPayments.com What are the benefits of EMV cards to merchants and consumers? What is EMV? The acronym EMV stands for an organization formed
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationInformation Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
More informationPCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants. UT System Administration Information Security Office
PCI DSS Security Awareness Training for University of Tennessee Credit Card Merchants UT System Administration Information Security Office Agenda Overview of PCI DSS Compliance versus Non-Compliance PCI
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationCustomer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics
Customer PCI 3.0 Changes = New Opportunity For You Giles Witherspoon-Boyd SecurityMetrics Who is this guy? Giles Witherspoon-Boyd, PCIP 15 years in technology, 4 years at SecurityMetrics SecurityMetrics
More informationUNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE
UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK. PCI SAQ TYPE B Level 4. Virtual Terminals
COAST GUARD MORALE WELL-BEING AND RECREATION (MWR) PROGRAM PAYMENT CARD INDUSTRY (PCI) COMPLIANCE WORKBOOK PCI SAQ TYPE B Level 4 Virtual Terminals 31 December 2014 COPYRIGHT NOTICE Copyright 2008-2014
More informationCardControl. Credit Card Processing 101. Overview. Contents
CardControl Credit Card Processing 101 Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old
More informationPlotting a Course for EMV Compliance
Plotting a Course for EMV Compliance Plotting a Course for EMV Compliance PCI compliance...emv compliance by now, you ve heard repeatedly that your store or restaurant must be EMV-compliant by the recently
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More information