How Secure is Your Payment Card Data?
|
|
- Shon Tyler
- 8 years ago
- Views:
Transcription
1 How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1
2 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has practiced public accounting and consulting. He has extensive experience providing information technology audit and internal control guidance to public and private companies. Francis expertise in technology consulting includes payment card industry security, IT governance, systems analysis, requirements analysis, systems selection and configuration, policy development, and more. He is the winner of 1992 AICPA Elijah Watt Sells Award with Highest Distinction in the Uniform CPA Examination. Kevin Villanueva, CISSP, CISA, CISM, PCI QSA Senior Manager, IT Security and Infrastructure Practice Leader Kevin has been in information technology field since 1998 and leads the firm s information security and infrastructure practice. He is considered expert-level staff in the areas of information security, disaster recovery planning, and strategic technology planning. He has experience in technology security assessments, systems auditing and assessments, network and system design, disaster recovery planning, information systems integration, and more. Kevin holds the Certified Information Systems Security Professional (CISSP) designation from ISC2 and ISACA s Certified Information Security Manager (CISM) designation. 2
3 The material appearing in this presentation is for informational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant-client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought. 3
4 OBJECTIVES You will leave this session with an understanding of: The background, history, compliance, and audit requirements of Payment Card Industry (PCI) Data Security Standards (DSS) Leveraging PCI DSS audit to achieve audit efficiencies with other compliance and/or regulatory audits Highlights of the changes from 2010 (v1.2) to (v2.0) Key compliance tips 4
5 POLLING QUESTION #1 How would you classify yourself? 1. A level 1 service provider or merchant 2. A non-level 1 service provider or merchant 3. Other 4. I do not know 5
6 Background & History Kevin Villanueva SLIDE 6
7 CARD BREACHES ARE ON THE RISE 2011 Security Breaches Food and Beverage 43.6% Retail 33.7% Hospitality 8% Financial 3.4% Entertainment 3.4% Energy 2.7% Misc. 5.2% Source: Trustwave s Global Security Report 2011
8 NOTABLE CARD BREACHES TJX Companies 2007 Hackers compromised wireless network to steal information on approximately 94 million card transactions. Heartland Payment Systems 2008 Hackers attacked system used to process card transactions. Inserted malware. Up to 100+ million transactions compromised. Global Payments 2012 Hackers attacked GP network. 1.5 million card account numbers accessed. Resulted in Visa dropping the card processor until they receive a new report on compliance. Sony PS Network 2011 Hackers accessed an old database containing consumer info and credit card info. Millions of customers information stolen. 8
9 PCI OVERVIEW Not a Federal regulation, but an industry regulation. Nevada, Minnesota and Washington have State PCI compliance laws. Purpose is to help prevent credit card fraud and maintain public confidence in payment cards. Applies to all entities that process, store, or transmit payment card information need to comply (Primary Account Number PAN is the deciding factor.) Card transaction players: card brands, merchants, service providers, acquirers, and issuers. Effective compliance dates varies depending on merchant level or service provider level and card brand. All deadline enforcement will come from the acquiring bank. Card brands have their own compliance programs and are responsible for compliance tracking, enforcement, penalties, and fees. 9
10 PCI OVERVIEW PCI Security Standards Council (PCI SSC or the Council) founded in 2006 is responsible for the development, management, education, and awareness of the PCI Security Standards. PCI Data Security Standard (PCI DSS) is a comprehensive set of international security requirements for protecting cardholder data. Payment Application Data Security Standard (PA-DSS) is a set of requirements for software vendors to develop secure payment applications. PCI PIN Transaction Security (PCI PTS) is a set of requirements for device vendors and manufacturers for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads, and unattended payment terminals. 10
11 THE PAYMENT CARD TRANSACTION Payment Brand Network Issuer (Consumer Bank) Service Provider Acquirer (Merchant Bank) Cardholder Merchant 11
12 MOBILE COMMERCE DEVELOPMENTS Retail purchases made through mobile have gone from 6% to 15% of purchases in only one year 25% of consumers engage in online shopping only via mobile Worldwide mobile payment transactions will surpass $171.5 billion in 2012, up 62% from $106 million last year Merchant Customer Exchange new mobile commerce platform developed for retailers 12
13 MOBILE COMMERCE & APPS How does payment card security compliance apply to: Purchases made by consumers through your mobile app or mobile site? Differences among payment card security at the store, on a computer, or on a phone? PCI-SSC has developed Mobile Payment Acceptance Application Categories Category 1 - Payment application operates only on a PTS-approved mobile device. Category 2 - Payment application meets 3 criteria: (1) bundled with a mobile device, (2) mobile device is purpose built for payment acceptance only, and (3) provides an environment that allows the merchant to meet and maintain PCI-DSS compliance. Category 3 - Payment application operates on any consumer electronic handheld device that is not solely dedicated to payment acceptance. 13
14 THE ACQUIRER S ROLE Acquirers (Merchant Bank) are responsible for: Ensuring their merchants are PCI DSS compliant Managing merchant communications Working with their Level 1 merchants until full compliance has been validated. Merchants are NOT COMPLIANT UNTIL ALL REQUIREMENTS have been met and validated. Acquirer is responsible for providing Visa their merchants compliance status. Any liability that may occur as a result of noncompliance 14
15 ROLES OF THE QSA & ASV QSA Qualified Security Assessor Certified to validate compliance with PCI-DSS Qualified Security Assessor companies have been qualified to have their employees assess compliance to the PCI-DSS standard Qualified Security Assessors are employees of these organizations who have been certified to validate an entity s adherence to the PCI-DSS ASV Approved Scanning Vendor Approved Scanning Vendors are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers. 15
16 PCI DSS REQUIREMENTS 16
17 MERCHANT LEVELS Merchant Level Description 1 Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa 2 region. Merchants processing 1 million to 6 million Visa transactions annually (all channels) 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually. 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit, and prepaid) from a merchant Doing Business As (DBA). 17
18 SERVICE PROVIDERS Service Provider Level Description 1 VisaNet processors or any service provider that stores, processes, and/or transmits over 300,000 Visa transactions annually. 2* Any service provider that stores, processes, and/or transmits less than 300,000 Visa transactions annually. Posted on Visa s Global List of Validated Service Providers Yes No* * Level 2 service providers may choose to validate as a Level 1 service provider in order to be listed on Visa s Global List of Validated Service Providers. 18
19 VALIDATION REQUIREMENTS Compliance Actions On-Site Group Level Comply with PCI-DSS Security Assessment Merchant 1 Required Required Annually Service Provider Self- Assessment Questionnaire 2 & 3 Required Required Annually *Network scanning is applicable to any internet facing system. ** Validation requirements are determined by the merchant s acquirer. Network Scan* Required Quarterly Required Quarterly 4** Required Recommended Recommended Quarterly 1 Required Required Annually Validation Actions 2 Required Required Annually Required Quarterly Required Quarterly 19
20 SELF-ASSESSMENT QUESTIONNAIRES (SAQS) SAQ A B C-VT C D Description Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. Merchants using only web-based virtual terminals, no electronic cardholder data storage. Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment card brand as eligible to complete an SAQ.
21 POLLING QUESTION #2 The Payment Card Industry (PCI) Security Standards Council (SSC) is responsible for enforcing PCI-DSS compliance. 1. True 2. False 21
22 Highlights of Changes: v1.2-v2.0 Francis Tam SLIDE 22
23 HIGHLIGHTS OF CHANGES: V1.2 TO V2.0 v1.2.1, which had been in effect since July of 2009, was superseded by v2.0 on October 28, 2010 Aligned PCI-DSS better with PA DSS and other industry best practices No new requirements; only added guidance or clarifications Clarifications on intent and wording of requirements or test procedures with example(s) 23
24 HIGHLIGHTS OF CHANGES: V1.2 TO V2.0 Added guidance on test procedures and new technologies, such as virtualization and private cloud adoption Recognition of small merchant environments be more flexible Eliminate redundant sub-requirements 24
25 HIGHLIGHTS OF CHANGES: V1.2 TO V2.0 EXAMPLES Virtualization req In-scope and out-of-scope virtual machines can co-exist as long as there is only one primary function per virtual system component. Storage of Sensitive Authentication Data (SAD) - req 3.2 V2.0 allows the storage of SAD if there is sufficient business justification and the data is stored securely. This is only for card issuers and companies that support issuing processing. 25
26 HIGHLIGHTS OF CHANGES: V1.2 TO V2.0 EXAMPLES Risk based approach for addressing vulnerabilities - req 6.2 & Assign risk ranking to vulnerabilities Also impact reg and 11.2 Implementation date July 1,
27 HIGHLIGHTS OF CHANGES: V1.2 TO V2.0 EXAMPLES Expansion of definition of personnel req 9.2 This requirement now applies to on-site personnel and not just employees Support centralized auditing req 10.5 Audit data must be able to be moved to a centralized log server, such as syslog-ng, Windows Event Logs. External-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media. 27
28 POLLING QUESTION #3 In PCI DSS v2.0, for req 9 Restrict Physical Access to Cardholder Data, it was changed such that it applies to: 1. Only card database administrators 2. Only employees 3. All on-site personnel 4. All personnel 28
29 Key Compliance Tips Kevin Villanueva SLIDE 29
30 KEY COMPLIANCE TIPS If cardholder data is not needed, don t keep it! Know what is on your network (run discovery tools: Cornell Spider, PANbuster, Vericept) Maintain a central repository for security-related activities throughout the year (vulnerability scan results, system/device reviews, diagrams, etc.) Develop security configuration standards for all your server types and devices. (e.g., DCs, web, database, firewall, etc.) Maintain a data retention policy and stick to it! 30
31 KEY COMPLIANCE TIPS Encrypt databases/files prior to committing them to backup tape/removable media Install A/V on your database servers that store cardholder data (or document compensating controls) Segment ( cocoon ) your CDE and use two-factor authentication for remote access (internal pen testing is not necessary) Institute a verification step for non-face-to-face password resets (e.g., employee ID) 31
32 KEY COMPLIANCE TIPS In virtualized environments, limit the number of mixed mode servers (use separate partitions for each virtual host) Implement POS systems with point-to-point encryption (P2PE) functionality (reduces scope) Conduct quarterly vulnerability scans and address vulnerabilities immediately Look to information security best practice frameworks for guidance (ISO 27002, NIST 800, COBIT) 32
33 PREPARING FOR A PCI-DSS ASSESSMENT Gather Documentation: Security policies, change control records, operational procedures, network diagrams, PCI DSS letters, and notifications Schedule Resources: Obtain dedicated participation of a project manager and key people from IT, business operations, human resources, and legal Describe the Environment: Organize information about the cardholder data environment, including cardholder data flows and locations of cardholder data repositories 33
34 POLLING QUESTION #4 Which of the following are ways I can reduce the scope of a PCI-DSS compliance audit? 1. Use POS systems with point-to-point encryption functionality 2. Segment the cardholder data environment 3. Delete primary account numbers from systems 4. 1 and 2 only 5. All of the above 34
35 Leveraging PCI DSS Audit Francis Tam SLIDE 35
36 LEVERAGING PCI DSS AUDIT Documentation collected for PCI-DSS requirements can be repurposed for other audits: Test results completed for PCI requirements can be used or relied upon by SAS 70/SSAE16 auditors Policies and templates developed for PCI compliance such as information security policies and user request forms can be used for systems without cardholder data Security awareness training and acceptable use policies can fill possible gaps in existing Human Resources polices 36
37 LEVERAGING PCI DSS AUDIT Description of Good Practices PCI-DSS v2 ISO HIPAA Install and maintain a firewall configuration to protect data COBIT (SOX) (e) (1) DS5.11 Use and regularly update anti-virus software or programs (a) (5) DS5.9 Assign a unique ID to each person with computer access (a) (1) DS5.4 Regularly test security systems and processes (b) AI2.3 37
38 LEVERAGING PCI DSS AUDIT PCI requirements can be used to drive existing internal projects: In some areas, PCI requirements may be more stringent than existing practices and used to enforce stronger security. For example, two factor authentication required for remote access and prohibited weak wireless encryption such as WEP. Communication of scheduled QSA assessment dates can force deadlines and uniform practices for unresponsive or isolated departments. 38
39 LEVERAGING PCI DSS AUDIT Conversely, existing internal projects may be used to satisfy some PCI requirements: Adopting Cloud Computing ( eliminate some of the requirements, such as Req. 10, 11.2 and 11.4). Safeguarding of private information initiatives, such as Personally Identifiable Information (PII) or Gramm-Leach-Bliley Act, may require Point-To-Point Encryption (P2PE), tokenization or twofactor authentication. Risk assessment can be leveraged to satisfy Req , especially if the existing risk assessment is based on ISO or NIST SP
40 REFERENCE MATERIALS PCI Website: Guidelines for Managing and Securing Mobile Devices in the Enterprise Recommendations of the National Institute of Standards and Technology Special Publication PCI DSS v2.0: 40
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT
PCI Compliance 101: Payment Card Industry Basics Data Security Standards Compliance Wednesday, July 20, 2011 2:00 pm 3:00 pm EDT This complimentary webinar is brought to you by ASAE-Endorsed Business Solutions
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI Compliance 3.1. About Us
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationPCI DSS Gap Analysis Briefing
PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More informationPCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E
PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent
More information* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationHow To Ensure Account Information Security
Global PCI DSS Framework Emöke Bitter Business Leader, Risk Management 26 February 2009 Agenda Introduction Merchants Service Providers Registry of Service Providers Payment Applications Resources Information
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationPCI Compliance 2012 - The Road Ahead. October 2012 Hari Shah & Parthiv Sheth
PCI Compliance 2012 - The Road Ahead October 2012 Hari Shah & Parthiv Sheth What s the latest? Point-to-Point Encryption (P2PE) Program Guide Updated Solution Requirements and Testing Procedures for hardware-based
More informationPROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN
PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationThoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director
Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Agenda 1 2 3 Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines
More informationPayment Card Industry Compliance Overview
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationThe State of Security and Compliance for E- Commerce and Retail
The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationStrategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008
Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC mdavis@securestate.com SecureState Founded in 2001, Based on Cleveland Specialized
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationPCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP
PCI Overview Lee Buttke Director of Consulting QSA, CPISM, CISSP About NetSPI Security and compliance consulting solutions for highly regulated markets QSA, PA-QSA, and ASV Higher Education and Retail/Payment
More informationPCI DSS and SSC what are these?
PCI DSS and SSC what are these? What does PCI DSS mean? PCI DSS is the English acronym for Payment Card Industry Data Security Standard. What is the PCI DSS programme? The bank card data, which are the
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationQ: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
More informationThe PCI DSS Compliance Guide For Small Business
PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationProperty of CampusGuard. Compliance With The PCI DSS
Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know
More informationPayment Card Industry Data Security Standard (PCI DSS) v1.2
Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationPCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.
PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
More informationCredit Card Processing, Point of Sale, ecommerce
Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationIt is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
PCI FAQ And MYTHS FREQUENTLY ASKED QUESTIONS (FAQ): Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process,
More informationData Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :
Data Security & PCI Compliance Securing Your Contact Center Session Name : Title Introducing Trevor Horwitz Pi Principal, i TrustNet t trevor.horwitz@trustnetinc.com John Simpson CIO, Noble Systems Corporation
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationAchieving PCI Compliance for Your Site in Acquia Cloud
Achieving PCI Compliance for Your Site in Acquia Cloud Introduction PCI Compliance applies to any organization that stores, transmits, or transacts credit card data. PCI Compliance is important; failure
More informationICCCFO Conference, Fall 2011. Payment Fraud Mitigation: Securing Your Future
ICCCFO Conference, Fall 2011 Payment Fraud Mitigation: Securing Your Future Presented by: Brian Irwin, CTP Vice President Fifth Third Bank Commercial Treasury Management And Claire Dittrich Executive Consultant-
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0 February
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationPCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com
PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationCorbin Del Carlo Director, National Leader PCI Services. October 5, 2015
PCI compliance: v3.1 Key Considerations Corbin Del Carlo Director, National Leader PCI Services October 5, 2015 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationSecurityMetrics. PCI Starter Kit
SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
More informationSession 2: Self Assessment Questionnaire
Session 2: Self Assessment Questionnaire and Network Scans Kurt Hagerman CISSP, QSA Director of IT Governance and Compliance Services Agenda Session 1: An Overview of the Payment Card Industry Session
More informationPCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session
More informationPCI Risks and Compliance Considerations
PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationPCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM
PCI Compliance PCI DSS v3.1 Dan Lobb CRISC Lisa Gable CISM Dan Lobb, CRISC o Introduction Dan has an MIS degree from the University of Central Florida. He began his career at Accenture and for the past
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationA Compliance Overview for the Payment Card Industry (PCI)
A Compliance Overview for the Payment Card Industry (PCI) Many organizations are aware of the Payment Card Industry (PCI) and PCI compliance but are unsure if they are doing everything necessary. This
More information