Key USP s. Multiple PCI level GRC tool

Transcription

1 PCI GRC tool

2 Introduction GP history Visa level 1 approved hosting facility Niche product for a specific problem Reduce BAU cost and cost of PCI compliance Reduce cost in managing 3rd parties PCI stakeholder engagement Metering PCI compliance all year long Less dependency on QSA as the baseline is set and agreed

3 Key USP s Multiple PCI level GRC tool Based on the compliance reporting as expected by the QSA and the Acquiring Banks Every item included in the solution is based on key audit points that will be required to show their activities over a period of time Integration and Management of 3 rd Parties Complete visibility into 3 rd parties risks, assets, policies and projects Online registration and data entry Merchant has complete control over 3 rd party PCI compliance Complete System of Record for PCI DSS 3.1 Backbone to PCI DSS 3.1 Governance, Reporting and Compliance Continuously evolves as PCI requirement changes Complete audit trail across many periods Fully hosted and accessible from anywhere Perfect tool for operations to use on an ongoing basis to ensure compliance

4 Target audience Level 1 processing over 6M Visa transactions per year. Level 2 processing 1M to 6M Visa transactions per year. Level 3 QSA required No QSA required 20,000 to 1M Visa e-commerce transactions per year Level 4 20,000 Visa e-commerce transactions per year, and all other merchants

5 What is PCI GRC? A new concept to the PCI sector Allows merchants to be organised and structured in the management on their PCI obligations Puts the merchant in control of its PCI estate Reduces OPEX on PCI compliance Breaks down all the PCI reporting compliance into manageable task distributed across your organisation with consolidated reporting Online based self reporting that can be expanded nationwide Reduces the need to have multiple Auditors with the self assessment capabilities PCI GRC Acquiring Banks PCI scope PCI stakeholders PCI non compliance PCI compliance status Policy management Policy change management PCI 3 rd parties Merchant ID Payment channels Business units Notification & escalation Compliance dashboard Policy owners & review dates Business demand for MIDs Payment systems Project managers Risk assessment of changes Compliance assessment SAQs Incident reporting Remediation & approval Incident notification Online Self reporting Policy enforcement Non compliance reporting Service catalogue

6 A consolidated system of records for PCI PCI Locations Centralised self reporting PCI Policies PCI service catalogue PCI GRC PCI Projects PCI non tech risks PCI 3 rd parties Merchant IDs

7 Merchant ID

8 MID lifecycle MID request Business units complete online form They select options from the form PCI scope alignment Business units selects from a Service catalogue in the PCI scope PCI compliance PCI team assesses the request for PCI compliance Treasury approval Treasury receive a PCI compliant request ready for Acquiring Bank submission Acquiring Bank MID assignment PCI compliance reporting per MID

9 Integration with multiple payment processors

10 Linking Merchant IDs into your PCI scope

11 PCI request register/form 1. PCI request form completed 2. Request is sent to PCI POC for review and approval 3. Once POC approves, it is sent to Treasury for treasury approval 4. Request approver approves and it is sent to supplier 5. Supplier gets the form and enters confirmation number and confirmation is sent to all the parties 6. Request is archived and added to the PCI scope 7. Update to existing a. New role called Treasury b. PCI location linked to business departments c. MID to be associated to each payment channel d. Business units to reflect payment scope e. Business department to include address, f. Acquiring bank to include user accounts 8. Permission can be set

12 MID Request - General

13 MID Request Card Readers

14 MID Request ecommerce

15 Managing multiple PCI locations & Business units

16 PCI merchant ID System of record from Merchant ID to risks The foundation of the PCI compliance starts from your Merchant ID. Every activity you carry is based on the decision of whether or not the activity is in scope (within the Merchant ID or out of scope (not within the Merchant ID.

17 PCI Asset register

18 PCI GRC approach to Asset management Projects Assets PCI projects PCI changes PCI systems PCI devices (Telephone) Technical Assets PCI firewalls PCI routers PCI devices PCI GRC 3 rd party Assets 3 rd PCI systems 3 rd PCI devices 3 rd PCI locations PCI physical locations Merchant owned locations 3 rd party owned locations

19 System of record PCI reporting range Merchant ID Acquiring Bank Business units Business projects Risk assessment Payment channels E-commerce Cardholder present Cardholder not present Payment apps Risk assessment PCI 3 rd party suppliers E-commerce redirect PCI products & services 3 rd party procurement PCI service catalogue Risk assessment PCI change management Software development lifecycle Business acquisitions New sales projects New suppliers Due diligence PCI BAU activities PCI policies & procedures PCI QSA & ASV reports PCI risk management Prioritized approach reporting PCI SAQs PCI Assets & network elements Network monitoring solutions

20 PCI Asset management PCI Assets linked to risks, Policies and projects Automated PCI Asset network monitoring Integration with PCI Asset monitoring tools

21 PCI 3 rd parties

22 What is the contractual expectation of Acquiring Banks in relation to 3 rd parties The Merchant must notify Acquiring Banks of all third parties who have access to Cardholder data on behalf of the Merchant (i.e., store, process or otherwise transmit Cardholder data). The Merchant acknowledges such third parties are required by the Card Schemes to be registered, and the Merchant shall cooperate with Acquiring Banks in completing such registration and be responsible for all fees imposed by the Card Schemes in connection therewith. The Merchant shall notify Acquiring Bank immediately if it becomes aware of or suspects any security breach relating to Transaction Data and shall also (and without prejudice to any other remedy Acquiring Bank have in respect thereof) immediately identify and resolve the cause of such security breach and take any steps that Acquiring Bank may require of the Merchant to do so, including as reasonably necessary the procurement (at the Merchant s cost) of forensic reports from third parties recommended by Acquiring Bank.

23 The MasterCard service provider compliance list

24 PCI compliant PCI service providers are maintained with automatic notification

25 Your PCI service providers: Products and services

26 Visa & MasterCard approved suppliers Validation date

27

28 Managing external providers and their obligations

29 QSAs and their deliverables QSA

30 PCI prioritized approach

31 PCI service catalogue PCI products and service view

32 PCI products and services placed with merchants

33 PCI risks with resolution links to suppliers

34

35 PCI risk reporting

36 Records kept to show PCI risk mitigation efforts lesson learnt can be shared group wide PCI Risk reporting PCI risk register PCI Asset register Business units Suspicious activities PCI policy register PCI 3 rd parties Customer complaints Anomaly reporting PCI BAU team notification PCI policy register PCI project register Contact centres Banned cards PCI risk assessment Online tool available to Manager level or regional level contact

37 PCI Risk reporting from business units

38 PCI reporting

39 PCI prioritized approach

40 PCI prioritized approach summary

41 The End