PCI Data Security Standard Overview and observations from the field. Andrea Del Miglio Practice Manager 28 March 2007

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PCI Data Security Standard Overview and observations from the field. Andrea Del Miglio Practice Manager 28 March 2007"

Transcription

1 PCI Data Security Standard Overview and observations from the field Andrea Del Miglio Practice Manager 28 March 2007

2 Sample Agenda Slide 1 PCI background information 2 PCI Data Security Standard Top reasons for non compliance 4 Strategies for achieving compliance 5 Symantec PCI services Andrea Del Miglio Symantec Corporation PCI Data Security Standard 2

3 PCI Background Information Andrea Del Miglio Symantec Corporation PCI Data Security Standard 3

4 Payment Card Security Programs: Why? Credit card fraud occurrences have been increasing over the years and the problem is not going away Cardholders need assurances that their purchases will be secure Credit card companies do not control credit card payment transactions from end to end Credit card companies need to protect their brands Credit card companies need some mechanism to share the liability for cardholder data security Andrea Del Miglio Symantec Corporation PCI Data Security Standard 4

5 Prior Payment Card Security Programs Individual programs existed prior to the PCI standard Visa: Cardholder Information Security Program (CISP) MasterCard: Site Data Protection Program (SDP) American Express What s wrong with this picture? Companies have to follow more than one process to achieve the same end goal Redundancies between programs Different lists of qualified assessors may require companies to contract with more than one independent assessor to complete all the audits Discrepancies between the different security standards Andrea Del Miglio Symantec Corporation PCI Data Security Standard 5

6 The PCI Data Security Standard PCI Data Security Standard (DSS) was created in December 2004 to create a single security standard Visa managed the DSS and auditing procedures/process MasterCard ran the scanning procedures/process September 2006 the PCI Security Standards Council was created Founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International Took ownership of the PCI DSS and scanning procedures Took ownership of the Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) program Certifying companies to perform audits Certifying companies to perform security scanning Released new PCI DSS v1.1 impacting all future compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 6

7 The Intent of the PCI DSS Protect cardholder data 1 2 Primary Account Number (PAN) Expiration date Storage, transmission, and display of this data Strictly control payment card track data Raw data extracted from the magnetic 3 strip Track data can be used to duplicate payment cards Track data should never really need to be stored Keep payment card authentication data secure 4 CVV2: Card Verification Value 2 (Visa) CVC2: Card Verification Code (MasterCard) Reduce the overall risk of potential cardholder data compromise Andrea Del Miglio Symantec Corporation PCI Data Security Standard 7

8 Payment Card Transaction Examples: Typical Visa Transaction Merchant Authorization Request Processor Acquirer (Merchant Bank) Authorization Response VisaNet Cardholder Issuer Processor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 8

9 Payment Card Transaction Example: Typical Visa E-commerce Transaction Payment Gateway Processor E-Commerce Merchant Authorization Request Acquirer (Merchant Bank) INTERNET Authorization Response VisaNet Cardholder Issuer Processor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 9

10 Who needs to be compliant? All organizations that handle credit card transactions must be PCI compliant Affects: Merchants: typically accept credit cards directly from customers as a form of payment Service Providers: typically process credit card transactions on behalf of merchants Payment card issuers and transaction acquirers with direct connection to Visa or MasterCard s processing network Sliding scale for compliance requirements Based on volume of credit cards processed annually Merchants: Levels 1-4 Service Providers: Levels 1-3 The higher the transaction volume or the more risky the transactions the more rigorous the compliance requirements become Andrea Del Miglio Symantec Corporation PCI Data Security Standard 10

11 Merchant Requirements Qualifications Requirements Completed By Level 1 > 6 million transactions annually regardless of channel Has suffered an attack resulting in cardholder data compromise Annual On-Site Audit Quarterly Network Scan QSA or internal auditor if signed by officer of the company Qualified Independent Scan Vendor Others at Visa/MC discretion Level 2 1 million to 6 million Visa transactions Annual Self-Assessment Merchant annually Quarterly Network Scan Qualified Independent Scan Vendor Level 3 20,000 to 1 million e-commerce transactions annually Annual Self-Assessment Quarterly Network Scan Merchant Qualified Independent Scan Vendor Level 4 Fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year Annual Self-Assessment Quarterly Network Scan Merchant Qualified Independent Scan Vendor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 11

12 Service Provider Requirements Qualifications (applies to either card) Requirements Validated By Level 1 All VisaNet processors (member and non-member) All payment gateways Annual On-Site Audit Quarterly Network Scan QSA Qualified Independent Scan Vendor Level 2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. Annual On-Site Audit Quarterly Network Scan Service Provider Qualified Independent Scan Vendor Level 3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually. Annual Self-Assessment Quarterly Network Scan Service Provider Qualified Independent Scan Vendor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 12

13 Annual PCI Self-Assessment Questionnaire Required for Level 2 and 3 merchants Required for Level 3 service providers Captures Organization information Business description All third-party providers POS hardware/software used Consists of 6 sections 75 individual questions Must answer all questions Yes: compliant with requirement No: non-compliant with requirement N/A: brief written explanation is required Andrea Del Miglio Symantec Corporation PCI Data Security Standard 13

14 PCI Assessment Process: Level 1 Merchants QDSC completes an onsite PCI assessment QDSC creates Report on Compliance Includes results of quarterly scanning Includes in-place/not in-place results for all 204 individual requirements QDSC provides ROC to merchant Merchant provides ROC to upstream service provider or acquirer Quarterly Scanning Results Merchant Contracts QDSC QDSC Performs Onsite Audit Compliance Decision QDSC Generates ROC Report on Compliance QDSC Provides ROC to Merchant Merchant Provides ROC to Service Provider Andrea Del Miglio Symantec Corporation PCI Data Security Standard 14

15 PCI Assessment Process: Level 1&2 Service Providers QDSC completes an onsite PCI assessment QDSC creates Report on Compliance Includes results of quarterly scanning Includes in-place/not in-place results for all 204 individual requirements QDSC is required to complete a service provider compliance status form QDSC provides both directly to Visa USA Quarterly Scanning Results Service Provider Contracts QDSC QDSC Performs Onsite Audit Compliance Decision QDSC Generates ROC QDSC Completes Compliance Status Form Report on Compliance Service Provider Compliance Status Form QDSC Provides Directly to Visa Andrea Del Miglio Symantec Corporation PCI Data Security Standard 15

16 What Can Be Expected During an Onsite Assessment Qualified assessors are 100% dependant on the merchant or service provider PCI DSS is comprehensive, therefore it takes time to complete PCS DSS testing procedures are focused on validation of practices, not blindly accepting statements from customers Requires considerable participation from the merchant or service provider Access to customer resources is a key success factor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 16

17 PCI Penalty Structure Reactive penalties Penalties are levied after a compromise of cardholder data Penalties effect acquirers and issuers directly due to contractual relationship and network connections to payment card firms Non-compliant merchants and service providers may receive penalties indirectly from their upstream acquirer Penalties Fines: Egregious violations up to $500k Forensics investigation costs Issuer/Acquirer losses Dispute resolution costs Operating restrictions on merchants Operating restrictions on service providers Visa s Compliance Acceleration Program (CAP) Fines for acquirers who have not validated that full track data is not being retained by their Level 1 Merchants by September 30, 2006 Acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. Acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant. Andrea Del Miglio Symantec Corporation PCI Data Security Standard 17

18 PCI DSS 1.1 Andrea Del Miglio Symantec Corporation PCI Data Security Standard 18

19 PCI Data Security Standard v1.1 Build and Maintain a Secure Network 1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5) Use and regularly update anti-virus software 6) Develop and maintain secure systems and applications Implement Strong Access Control Measures 7) Restrict access to cardholder data by business need-to-know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data Regularly Monitor and Test Networks 10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes Maintain an Information Security Policy 12) Maintain a policy that addresses information security Andrea Del Miglio Symantec Corporation PCI Data Security Standard 19

20 Requirement 1.1 Firewall Configuration Standards Estabilish configuration standards that include: Configuration standards for all router and firewalls Approval process for all external connections and firewall changes Up-to-date network diagram (including WLANs) Firewall separing network segments (Internet from DMZs from internal network...) Description of groups, roles and responsibilities for logical management of network components Documented list of services/ports necessary for business, with specific justification for protocols not related to HTTP, SSL, SSH and VPN Quarterly review of firewall/router rule set Andrea Del Miglio Symantec Corporation PCI Data Security Standard 20

21 Requirement 1.2 Firewall Configuration Settings Build a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment Audit must verify that only documented protocols are allowed in running configuration (see req. 1.1) Checks must be done for both inbound and outbound traffic Check a sample of: devices between the Internet and the DMZ devices between the DMZ and the internal network Andrea Del Miglio Symantec Corporation PCI Data Security Standard 21

22 Requirement Network segmentation and firewall rules Restrict connections between publicly accessible servers and any system storing cardholder data: Use a deny-all default policy Restrict inboud IP traffic to servers in DMZ Resctirct egress traffic to necessary protocols Restrict DMZ access from the internal network passing from the Internet Use stateful inspection Secure and synchronize router configuration files Place DB servers in the internal network Segregate WLANs from the cardholder data environment Use personal firewalls on employees PCs Prohibit direct public access between external networks and any system component that stores cardholder data Use RFC 1918 addresses Andrea Del Miglio Symantec Corporation PCI Data Security Standard 22

23 Requirement Audit procedures Network Architecture: Examine updated network diagram (see req. 1.1) for consistent segregation Firewall Review: Include ALL firewalls Review configuration files for ingress and egress rules for consistency with firewall policies Verify default policy which needs to be deny-all Evaluate protocols to determine necessity Personal firewall on laptops audit configuration of a sample population Andrea Del Miglio Symantec Corporation PCI Data Security Standard 23

24 Changes in PCI DSS v1.1 Terminology changes More consistent use of terms Attempted to remove vague terms (regularly, periodically, etc.) Provided more guidance Applicability guide for data elements PCI audit scoping Applicability for hosting providers Compensating controls Modified twenty six (26) existing requirements Added four (4) new requirements Andrea Del Miglio Symantec Corporation PCI Data Security Standard 24

25 New PCI Requirements Requirement Hosting provider applicability Focused on shared hosting providers, not merchants who outsource Focus on proper segmentation of hosted entities Requirement Spyware and adware Current anti-virus deployment must detect, remove, and protect against other malicious software, including spyware and adware. Requirement 6.6 Web application security Source code reviews are performed and/or application-layer firewall in front of application(s) Becomes a requirement June 30, 2008 Requirement Management of connected entities Focus on service providers and credit card processors Program in place Policies Procedures Documentation Andrea Del Miglio Symantec Corporation PCI Data Security Standard 25

26 Top reasons for non-compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 26

27 Where is this data coming from? Telecommunications Global retailers Brick and mortar E-commerce Credit card issuers Internet service providers Financial services Cable and content providers Manufacturing Airlines Insurance Entertainment Fulfillment Education State & local government Andrea Del Miglio Symantec Corporation PCI Data Security Standard 27

28 Top 10 Reasons for Non-compliance 1. Inconsistent host hardening 2. Deficient logging practices 3. Deficient network management 4. Unencrypted cardholder data 5. Deficient security policies 6. Lack of identity management program 7. Deficient data retention practices 8. Poor vendor management (contracts) 9. Deficient encryption management practices 10. Patch management NOTE: Based on volume not security risk or compliance impact Andrea Del Miglio Symantec Corporation PCI Data Security Standard 28

29 The Top 5- A Closer Look: #1 #1: Inconsistent host hardening PCI DSS maintains focus on infrastructure Decentralized silo-style management Lack of secure build and management process No compliance monitoring program Solution Standardize build policies and process Centralized compliance management solution Centralized access control and logging Andrea Del Miglio Symantec Corporation PCI Data Security Standard 29

30 The Top 5- A Closer Look: #2 #2: Deficient logging practices Need to be able to identify, quantify, and react to security breaches Servers and applications are not configured to log enough data Logs aren t being centrally or securely stored Inadequate log data retention Missing logs due to configuration errors Solution Configure logging properly Centralized logging & monitoring Log file retention program Outsource security monitoring Andrea Del Miglio Symantec Corporation PCI Data Security Standard 30

31 The Top 5- A Closer Look: #3 #3: Deficient network management PCI DSS focuses on perimeter network security for the cardholder data environment Network access controls Segmentation Configuration management Organizations lack configuration management procedures for firewall ACLs Organizations don t document firewall configuration and operational procedures Cardholder data isn t treated differently Solution Create detailed firewall configuration and management procedures Isolate cardholder datastores from systems and users that don t require direct access Andrea Del Miglio Symantec Corporation PCI Data Security Standard 31

32 The Top 5- A Closer Look: #4 #4: Unencrypted cardholder data Encryption is expensive and difficult Legacy systems don t support encryption Organizations don t know where all the data resides Solution Never store data you don t need Application-level encryption, database package encryption, or encryption appliances Destroy sensitive data once unneeded Andrea Del Miglio Symantec Corporation PCI Data Security Standard 32

33 The Top 5: A Closer Look #5: Deficient security policies PCI validates existence and scope of policies Organizations haven t created all the required policies Policies don t meet PCI requirements Solution Collect all regulatory and industry requirements that impact you Identify commonality Create policies Policy management tools Manually Educate staff Andrea Del Miglio Symantec Corporation PCI Data Security Standard 33

34 Root Causes for Non-compliance Organizations often unknowingly collect sensitive data Organizations don t understand the extent of their cardholder environment Organizations don t understand who this sensitive data is being shared with Reactive rather than proactive approach to PCI compliance Bottom-up approach to PCI compliance instead of top-down Immature information security programs Andrea Del Miglio Symantec Corporation PCI Data Security Standard 34

35 Strategies for achieving compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 35

36 Achieve Compliance by Reducing Scope PCI Data Security Standard (DSS) is two years old Organizations cardholder environments pre-date the PCI DSS The more systems that collect, process, and store cardholder data the larger the scope Large scopes typically result in compliance failure Heterogeneous networks and systems Decentralized business process management Infrastructure management by silo More chance to just make a dumb mistake Cardholder data is different from other corporate data and should be managed differently Reduced Scope = Fewer Moving Parts = Path to PCI Compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 36

37 How to Reduce Scope Physical and logical segmentation Isolate credit card systems from all other internal network segments Implement strong network access controls to enforce least privilege access control model Defense in depth Centralization Consolidate cardholder datastores Databases Local file storage Minimize cardholder data footprint to only the systems that have a business need Stop the propagation of cardholder data to non-payment card related systems Standardization Standard method of communicating with business partners Standard encryption services Standard transport services Standard application platforms Operating systems Database applications Application servers Andrea Del Miglio Symantec Corporation PCI Data Security Standard 37

38 Example Success Stories Data sensitivity driven network architecture and access control model Evolution to a services-based application architecture Eliminated silo business process architectures Eliminated integration points and unnecessary datastores Scalable Complete centralization on mainframe Single access model Single database model Minimal external communication Outsource model Risk and liability managed through contracts Nearly zero cardholder data footprint Specialized encrypted storage solution for all non-database storage Focus on culture and behavior change Andrea Del Miglio Symantec Corporation PCI Data Security Standard 38

39 Symantec PCI Consulting Services Andrea Del Miglio Symantec Corporation PCI Data Security Standard 39

40 Symantec Payment Card Industry Services Providing organizations with industry-leading security expertise and proven methodologies to effectively plan, assess and execute PCI data security programs PCI Security Audit Service PCI Security Scanning Service PCI Compliance Readiness Review PCI Payment Application Best Practices Assessment Strategic and Tactical PCI Consulting Andrea Del Miglio Symantec Corporation PCI Data Security Standard 40

41 Symantec Differentiators People Security experts, not checklist auditors Average PCI consultant has 10 years security experience Comprehensive subject matter expertise Infrastructure security Application security Security program development Management approach Act as Trusted Advisor for all security needs Focus on customer needs Dedicated management team Results Clear and concise feedback Tailored ACTIONABLE recommendations Methodologies Designed to provide real value and increased ROI Designed to assist customers meet their short-term and long-term security goals Company Depth and breadth of security expertise at customer s disposal Executive support Products and services to meet any IT security need Symantec products and services can help you achieve compliance for all PCI requirements Andrea Del Miglio Symantec Corporation PCI Data Security Standard 41

42 PCI Resources Symantec PCI Services: Symantec Compliance Solutions: Symantec PCI contacts for Italy: PCI Security Standards Council: Andrea Del Miglio Symantec Corporation PCI Data Security Standard 42

43 T h a n k Y o u! 2007 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. Andrea Del Miglio Symantec Corporation PCI Data Security Standard 43

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

Introduction to PCI DSS

Introduction to PCI DSS Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

Your Compliance Classification Level and What it Means

Your Compliance Classification Level and What it Means General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

Introduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.

Introduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m. Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

PCI DSS Compliance in a hosted infrastructure

PCI DSS Compliance in a hosted infrastructure PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by

More information

PCI DSS. CollectorSolutions, Incorporated

PCI DSS. CollectorSolutions, Incorporated PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Technical breakout session

Technical breakout session Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

PCI Security Compliance

PCI Security Compliance E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment

More information

Frequently Asked Questions

Frequently Asked Questions Contents CISP Program Overview... 2 1. To whom does CISP apply?...2 2. What does VISA define as "cardholder data"?...2 3. What if a merchant or service provider does not store Visa cardholder data?...2

More information

PCI Standards: A Banking Perspective

PCI Standards: A Banking Perspective Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.

More information

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM PCI DSS 1.1 compliance requirements demand a new level of administration and oversight for merchants, banks and service providers to maintain

More information

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600 Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Enforcing PCI Data Security Standard Compliance

Enforcing PCI Data Security Standard Compliance Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

Payment Card Security

Payment Card Security Payment Card Security January 31, 2008 Kieran Norton, Senior Manager Security & Privacy Services, Deloitte & Touche LLP Focus of the Presentation PCI Overview Background Current Environment Key Considerations

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key

More information

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor

More information

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy

More information

PCI DSS Presentation University of Cincinnati

PCI DSS Presentation University of Cincinnati PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI

More information

La règlementation VisaCard, MasterCard PCI-DSS

La règlementation VisaCard, MasterCard PCI-DSS La règlementation VisaCard, MasterCard PCI-DSS Conférence CLUSIF "LES RSSI FACE À L ÉVOLUTION DE LA RÉGLEMENTATION" 7 novembre 07 Serge Saghroune Overview of PCI DSS Payment Card Industry Data Security

More information

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)

More information

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended

More information

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance: How to ensure customer cardholder data is handled with care PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4

More information

Using Skybox Solutions to Achieve PCI Compliance

Using Skybox Solutions to Achieve PCI Compliance Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to: What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International

More information

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions Providing stronger security practices that enable PCI Compliance and protect cardholder data. Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions Highlights Offers pre-assessment

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

Presented By: Bryan Miller CCIE, CISSP

Presented By: Bryan Miller CCIE, CISSP Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance

More information

Net Report s PCI DSS Version 1.1 Compliance Suite

Net Report s PCI DSS Version 1.1 Compliance Suite Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment

More information

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry

More information

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment

More information

Adyen PCI DSS 3.0 Compliance Guide

Adyen PCI DSS 3.0 Compliance Guide Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants

More information

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the

More information

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry Data Security Standard (PCI DSS) v1.2 Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview

More information

Technology Innovation Programme

Technology Innovation Programme FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

Payment Card Industry Data Security Standard Explained

Payment Card Industry Data Security Standard Explained Payment Card Industry Data Security Standard Explained Agenda Overview of PCI DSS Compliance Levels and Requirements PCI DSS in More Detail Discussion, Questions and Clarifications Overview of PCI-DSS

More information

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011) Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment

More information

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI

More information

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013 Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,

More information

PCI DSS COMPLIANCE DATA

PCI DSS COMPLIANCE DATA PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities

More information

Payment Card Industry (PCI) Compliance A QSA Perspective

Payment Card Industry (PCI) Compliance A QSA Perspective Payment Card Industry (PCI) Compliance A QSA Perspective Agenda Introduction Getting Started Data Flows Gap Assessment Remediation What is Payment Card Industry (PCI)? Industry imposed mandate to secure

More information

North Carolina Office of the State Controller Technology Meeting

North Carolina Office of the State Controller Technology Meeting PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

An article on PCI Compliance for the Not-For-Profit Sector

An article on PCI Compliance for the Not-For-Profit Sector Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0 October 2010 Document Changes Date Version Description October 1, 2008 1.2 October

More information

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

Platform as a Service and PCI www.engineyard.com

Platform as a Service and PCI www.engineyard.com Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it

More information

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008 Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities

More information

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

Data Security Requirements for K-12 January 28, 2010. Payment Card Industry (PCI)

Data Security Requirements for K-12 January 28, 2010. Payment Card Industry (PCI) CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave

More information

Merchant guide to PCI DSS

Merchant guide to PCI DSS Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does

More information

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.

More information