PCI DSS Scope Misconceptions. Focusing Compliance Efforts Where it Matters Most
|
|
- Garry Dixon
- 8 years ago
- Views:
Transcription
1 PCI DSS Scope Misconceptions Focusing Compliance Efforts Where it Matters Most M. Yousuf Faisal Principal Consultant GRC & PCI Practice Lead PCI-QSA, PCIP, CISSP, CISM, CISA. 26 September 2014
2 Agenda > Introduction > Definition of PCI Scope & Scoping Process > Options for Reducing Scope >Common Misconceptions for avoiding Compliance > Overlooked Scope >Q&A Yousuf Faisal-Public-FINAL-v September
3 NTT Com Security Global Information Security & Risk Management Provider Yousuf Faisal-Public-FINAL-v September
4 NTT Com Security Services Pillars: Consulting & Managed Services Technology Services Security Architecture Design Product Selection Global Procurement Global Deployment Global Staging Deployment Project Management Consulting Services Vulnerability Assessment Penetration Testing Code Review Secure Coding Data Loss Prevention SIEM Advisory Regulatory Standards Advisory Compliance Risk Assessment & Audits Security Strategy & Policy Development Security Awareness Managed Security Services Technicalsecurity phone support Remote Monitoring Service Remote Management Service (MSaaS) Yousuf Faisal-Public-FINAL-v September
5 NTT s Global Threat Intelligence Report During 2013 * NTT researched the threats and published the Global Threat Information Report 2014 (GTIR) * We analyzed more than 3 Billion attacks on our customers, over the course of 2013 (that s 97 separate attacks per second) Findings * 95% of losses could be reduced by focused investment * 43% of incident response engagements were the result of malware * 34% of events were the result of botnet activity * The report also details specific case studies, Malware, Zero node, SQL injection RESULTS: On average a typical organization is targeted once every minute of every day including weekends, evenings, and holidays. During this presentation, your internet connected device will be attacked probably a half a dozen times and your organization will be attacked between times. Yousuf Faisal-Public-FINAL-v September
6 Importance of PCI DSS Scoping Most Important Step in PCI Journey = Defined Scope For PCI DSS Applicability Overly Broad Scope = Can lead to Extra Cost And would be difficult to achieve compliance with PCI DSS Too Narrow Scope = Non-Compliance / Breach Non-Compliance is inevitable / Higher Chances of Compromise Yousuf Faisal-Public-FINAL-v September
7 PCI DSS Scope Discovery Objectives Introduce the PCI-DSS Process and Requirements and Scoping Approach Determine all systems and processes that handle cardholder data Determine transaction volumes (aggregate and per card brand) / year Determine individuals or job roles with access to cardholder data Determine the locations where cardholder data is stored Map the physical and electronic data flow of cardholder information Determine in-house or third party applications storing, processing, or transmitting cardholder data Determine third parties whom cardholder data is shared with Determine the current extent of the PCI-DSS scope Determine appropriate sampling methods for a PCI Gap Analysis or PCI QSA Assessment Make recommendations for reducing the applicable PCI-DSS scope Yousuf Faisal-Public-FINAL-v September
8 PCI DSS Scoping Defined Cardholder Data Environment (CDE) People Process Transmit Store Technologies Process Transmit Store Cardholder and sensitive authentication data Process Transmit Store Processes The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment Yousuf Faisal-Public-FINAL-v September
9 Identifying PCI DSS Scope Applicability Electronic Physical Phone Personnel E-commerce Backend processing Account records Unstructured data Datacenters Offices/Shops POS Terminals Printouts Hardcopy forms Recorded conversations Processes IT staff Customer service Accounting Payment Teams Yousuf Faisal-Public-FINAL-v September
10 Cardholder Data Flow Diagram (New Req.) Show the flow of cardholder data > Logical flow, not a network diagram (although a network diagram is likely a good place to start) Processor SFTP Call Center No storage PCI LAN HTTPS Main Firewall Application Server No storage ODBC PCI DB 3 year storage Yousuf Faisal-Public-FINAL-v September
11 Other Flow Diagrams (Examples only) Cardholders Phone Fax Sales Dept Credit Dept Forms Forms Phone Order Entry Dept Data entry Bluth Company application Order packets Forms server File room (Mid-term storage) R e ta il s to r e Warehouse (Long-term storage) E - m a il s e r v e r E - m a ils S c a n n e d fo r m s P O S te r m in a l R e ta il w o r k s ta tio n S c a n n e d fo r m s E - m a il F a x O m n i M e r c h a n t S e r v ic e s Y o y o d y n e P h o n e C a r d h o ld e r s In p e r s o n R e ta il s to r e P O S t e r m in a l Im p r in ts T r e a s u r y D e p t F ile r o o m ( M id - te r m s to r a g e ) W a r e h o u s e ( L o n g - te r m s to r a g e ) C a r d h o ld e r s P h o n e S t u d io p u ll b in d e r s S e n d s a le fo r m s C lie n t e le b o o k s Yousuf Faisal-Public-FINAL-v September
12 PCI DSS Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security for all personnel Yousuf Faisal-Public-FINAL-v September
13 PCI DSS Process (Levels) Validation Compliance Levels and their requirements are determined by card brands All levels must have 3rd party ASV scans Depending on level either self-assessment or 3rd party QSA assessment required Any organization that stores, processes, or transmits cardholder data Levels don t change compliance requirements Some requirements may not be applicable Yousuf Faisal-Public-FINAL-v September
14 CDE and Beyond (e.g. Flat Network) Web DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v September
15 CDE and Beyond (e.g. Wireless Intrusion) Web DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v September
16 CDE and Beyond (e.g. Infected PC) Web DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v September
17 CDE and Beyond (e.g. Data Exfiltration) Web DMZ PCI DMZ Online Shop DB LAN DB Active Directory Wi-Fi PCI LAN Call Center IT Users Yousuf Faisal-Public-FINAL-v September
18 CDE and Beyond (e.g. Network Segmentation) Web DMZ PCI DMZ Online Shop DB LAN DB No Direct Public Access Active Directory Wi-Fi PCI LAN Call Center IT Users Cardholder Data Environment Yousuf Faisal-Public-FINAL-v September
19 CDE and Beyond (Connected To System) Web DMZ PCI DMZ Online Shop DB LAN DB No Direct Public Access Active Directory 2 Factor Wi-Fi PCI LAN Call Center IT In Scope Users Cardholder Data Environment Yousuf Faisal-Public-FINAL-v September
20 Reducing Scope and Cost Get rid of unnecessary cardholder data If you don t have it nobody can steal it Outsource it to a PCI compliant 3 rd party Make it somebody else s problem P2PE Make sure you can t even decrypt the data Tokenize Data If it s not a credit card number PCI doesn t care anymore Mask displayed cardholder data The less people who see it the better Segment networks It s easier to put your valuables in a safe than protect the whole building Yousuf Faisal-Public-FINAL-v September
21 Data Retention Misconceptions We need to keep records of credit card transactions for [arbitrary long time] Chargebacks: 18 months Lawsuits: 2 years Taxes: 7 years (but you probably don t need the full PANs) Don t guess: ask processors, accountants, and legal We need to keep card numbers on file for recurring transactions or refunds Cards can be authorized for multiple transactions Tokens can be used for refunds Yousuf Faisal-Public-FINAL-v September
22 Outsourcing Misconceptions I don t have any cardholder data so I don t have to worry about PCI A 3 rd party handles cardholder data for me so it s out of scope There are still a number of requirements that apply For example tracking 3 rd party PCI compliance You are still responsible for assessing 3 rd parties Using 3 rd parties who are already PCI compliant can make this much easier Yousuf Faisal-Public-FINAL-v September
23 Service Providers 12.8 Third-party service providers that may have an impact on the security of the cardholder data environment > Store, process, or transmit cardholder data on their behalf > Manage components such as routers, firewalls, databases, hosting/physical security, or server management Parties should clearly identify responsibilities Req >The services and system components which are included in the scope of the service provider s PCI DSS assessment inventory helps! > The specific PCI DSS requirements covered by the service provider >Ifeverybodyassumessomebodyelseisdoingitthennobodyisdoingit! Stuart Moen-Public-Draft-v01 27 Jun
24 3 rd Party Management Vulnerability Management > Who is responsible for reviewing risk of vulnerabilities, and who is responsible for remediating residual ones? Service providers: they need to provide written acknowledgement of responsibility > Effective July 2015 > Written acknowledgement to customers about applicable responsibilities > Mirrors requirement >Good idea to start new contracts now Req 12.9 Stuart Moen-Public-Draft-v01 27 Jun
25 3 rd Party Access 2-factor authentication requirements applies to 3rd parties > Specifically includes vendor access for support or maintenance > Applies to remote network access Req 8.3 Service providers: use unique credentials for each customer > Effective July 2015 > Two Factor Authentication helps here! Req Stuart Moen-Public-Draft-v01 27 Jun
26 Service Providers (Clarifications) Third-party service providers that may have an impact on the security of the cardholder data environment > Store, process, or transmit cardholder data on their behalf > Manage components such as routers, firewalls, databases, physical security, and/or servers Parties should clearly identify responsibilities > The services and system components which are included in the scope of the service provider s PCI DSS assessment > The specific PCI DSS requirements covered by the service provider > Any requirements which are the responsibility of the service provider s customers toincludeintheirownpcidssreviews Yousuf Faisal-Public-FINAL-v September
27 3rd Party Checkout Processor Internet Users Workstation Webserver Database Yousuf Faisal-Public-FINAL-v September
28 Point to Point Encryption (P2PE) Processor P2PE Certified Terminal Workstation Web / Application server Database Yousuf Faisal-Public-FINAL-v September
29 Encryption Misconceptions P2PE (or E2EE) Use certified terminals and Implement them properly If non-validated terminals or home-grown solutions based on same P2PE principles are used QSA/ISA would have to assess and validate that they are correctly implemented. BACKUPS Backups containing CHD is in scope. Need to be rendered unreadable itself as per PCI Req If transferred to another location / 3 rd Party without decryption keys, may be considered Outof-scope. Yousuf Faisal-Public-FINAL-v September
30 Tokenization (Tokenizing the PAN) Processor Workstation Web / Application server Database Yousuf Faisal-Public-FINAL-v September
31 Scope Clarification on Use of Tokenization Ground Rules Systems that are Always in-scope Token Server. PAN Data Storage / Vault and Key Manager (encrypting the Tokens) Tokenization & De-Tokenization Application. In Addition, Determining Systems in-scope With: Capability to Make Requests to token server If YES so In-scope Suitable Use of Random Tokens (Generation methods e.g. Random token number generators, one-time pads, and unique code books) Systems containing tokenized data placed within CDE if YES so inscope. Recommended approach is to place such systems (tokenized data) outside of CDE using network segmentation. [Yousuf Faisal-Confidential-FINAL-v0.2]
32 Network Segmentation Yousuf Faisal-Public-FINAL-v September
33 Segmentation Misconceptions Users won t be able to access anything in the CDE You can open nearly any port, you just need to document your justification Certain insecure ports are banned It doesn t have to be PCI related Just remember, anything with access is back in-scope I need VPNs and tokens to access everything in the CDE Network level access needs 2-factor authentication Non-network level access does not 2 passwords is not 2-factor authentication Certificates are a 2 nd factor Yousuf Faisal-Public-FINAL-v September
34 NTTCS 3 Tiered Model for Scoping Tier 1: System components that directly store, process, or transmit cardholder data PCI DSS requirements are applicable Restrict access to these system components as much as possible to limit the scope Tier 2: System components that are allowed to connect with anything in Tier 1 (both inbound & outbound traffic) but do not store, process, or transmit cardholder data Tier 3: System components that are incapable of connecting to any system component in Tier 1 PCI DSS requirements are applicable to the extent that they are relevant and ensure that there is only minimum required connectivity with Tier 1 systems No need to restrict access to these system components beyond what is already required by PCI DSS Out of scope for PCI DSS compliance Should be in Tier 2 if it is discovered that there is any way to connect to Tier 1 components Yousuf Faisal-Public-FINAL-v September
35 Other Options: Open PCI Tool Kit Required) Download) Yousuf Faisal-Public-FINAL-v September
36 Other Options: Open PCI Tool Kit Required) Download) Yousuf Faisal-Public-FINAL-v September
37 Other Impacts of Incorrect Scoping Other Requirements Effected Annual Risk Assessment ASV External Quarterly Scans Internal Quarterly Vulnerability Scans Annual Penetration Testing (or After any Significant Change) & MORE. RESULTS HIGHER COST SPENDING WASTED TIME, EFFORT & RESOURCES NON-COMPLIANCE Yousuf Faisal-Public-FINAL-v September
38 Case Study Reducing Scope Insurance Company Conducted Scope Reduction Pre-Assessment A few applications processing credit cards in-house Required many new controls Many departments had outsourced credit card processing Recommended outsourcing all processing Avoided major network redesign Over 100 compliance requirements no longer applicable Achieved compliance in weeks instead of months Yousuf Faisal-Public-FINAL-v September
39 Common Misconceptions for Avoiding Compliance We only handle Cardholder Data for > PCI Definition Applies For Someone else > An organization that handles cardholder data on behalf of another organization is known as a service provider. > Service Providers have 2 options when confronted with customers with PCI Requirements We don t store cardholder data Only Transmits or Processes CHD > PCI DSS applies to organizations that process or transmit cardholder data in addition to those storing cardholder data. > Layer 2 network providers (such as ISPs or telecoms providing frame relay, ATM, and MPLS links) are exempt Yousuf Faisal-Public-FINAL-v September
40 Common Misconceptions for Avoiding Compliance We Use PA-DSS Compliant Applications And or P2PE Compliant Terminals > Can help reduce the scope of PCI but they do not eliminate it completely. > PA-DSS and P2PE validated solutions are in scope & need to be implemented in PCI compliant manner. > We Only Accept EMV > Systems that only use Chip-and-Pin Cards are still in scope Chip-and-Pin Cards > EMV offers security advantages over cards with magnetic stripe for card-present transactions > EMV still have magnetic strips that can be copied and works same as other cards in Card-notpresent transactions Yousuf Faisal-Public-FINAL-v September
41 Overlooked Scope System Components that Transmits CHD But Do Not Store Cardholder Data (CHD) > PCI DSS applies to system components that process and transmit cardholder data in addition to those that store cardholder data. > Examples such as Web servers, application servers, workstations, thin clients, and mobile devices that transmit cardholder data without storing it are in-scope. Network Infrastructure Transmitting Cardholder Data (CHD) > infrastructure within the CDE is likely transmitting cardholder data and should be considered in-scope as part of the CDE itself. > VLAN is a valid method to create logical segments, actual separation b/w CDE and other networks would still require a firewall or other form of access control list to satisfy PCI DSS Supporting Infrastructure > Other supporting infrastructure, such as password management systems (e.g. Active Directory or RADIUS), DNS services, patching systems, and network time synchronization protocols, will often be on a separate network segment from the systems that directly handle cardholder data but would be considered in-scope for PCI DSS compliance if they are used by system components in the cardholder data environment. Yousuf Faisal-Public-FINAL-v September
42 Overlooked Scope (Contd..) Development In-House Build Applications > Develop internal applications handling CHD will have to consider impact of compliance on their development teams. > PCI Requirement 6 deals with techniques for developing and deploying Secure software. > Many sub-requirements apply to Development Staff including how they write and test their code as well as how the system administration staff deploy that code to the production environment. Individuals who access the CDE without regularly accessing cardholder data > System administrators, network administrators, database administrators, and developers, will access the cardholder data environment > May have access to data, decryption keys, or security settings etc. > Even if the employee is not malicious their workstation could be compromised by malware and their access leveraged in order to affect a breach. As a result these individuals and the workstations they use for access to the CDE fall in-scope for PCI DSS compliance. Yousuf Faisal-Public-FINAL-v September
43 Overlooked Scope (Contd..) Legacy Data Often Forgotten > Many organizations will migrate to newer processing systems without completely retiring legacy systems, instead allowing them to continue running for archival or reference purposes. Although these systems may no longer be in active use they are still in-scope if they contain cardholder data, an attacker who successfully breached them would be able to retrieve cardholder data just the same as if he compromised the new replacement system. Unstructured data Cardholder Data In Unknown Locations Often times employees will create their own work process, such as retrieving data from a database into an Excel file and then ing that Excel file to another employee for reporting purposes. This represents unstructured data as it is no longer within the structured environment of a database and application. If this unstructured data contains cardholder data then it is in-scope for PCI DSS compliance. Yousuf Faisal-Public-FINAL-v September
44 Overlooked Scope (Contd..) Paper Records > Physical documents containing cardholder data are in-scope for PCI DSS compliance. > Thereareanumber ofrequirementsofnotethatwouldapplytopaperrecordse.g. > Physical security (requirement 9) including the destruction of hard copies (requirement 9.8.1) would be applicable. > Any documents would also have to be stored and destroyed in accordance with the organization s data retention and disposal policy as defined in requirement 3.1. Phone Calls Often Forgotten Cardholder Data being Stored as part of Call Recordings > Personnel and IT infrastructure involved in handling cardholder data via phone are in-scope for PCI DSS compliance. Typical IT concerns would include Voice over IP (VoIP) infrastructure, call recording, and screen recording for quality assurance purposes. > Adequate Segmentation between VOIP and Data and or if Mixed VOIP encryption required. > Recorded account numbers would have to be rendered unreadable (usually encrypted) as per requirements 3.4 while Sensitive Authentication Data would have to be purged as its storage after authorization is complete as per the prohibition set under Requirement 3.2. Yousuf Faisal-Public-FINAL-v September
45 Case Study 2-Level 1 merchant Background > First PCI audit in 2012 > Successfully passed to date > Business relies on payment service providers Betting and gaming compliance requirements Using PCI compliant service providers Key challenges and how mitigated > Expanding client base and ongoing agility requirements > Limited size of security team > Business has to meet peak demands (such as during major sporting events) Established flexibility in their compliance programmes to workaround key business events Initiated monthly governance meetings involving key stakeholders Conducted pre-audit assessments Stuart Moen-Public-Draft-v01 27 Jun
46 KEY TAKEAWAYS HIRE QUALIFIED & EXPERIENCED CONSULTANT OR STAFF SCOPE YOUR ENVIRONMENT APPROPRIATELY VALIDATE THE SCOPE ON A YEARLY BASIS / AFTER ANY CHANGE PLAN AHEAD FOR CHANGES SELF ASSESS OR 3 rd PARTY GAP ANALYSIS SECURITY IS A SHARED RESPONSIBILTY -DOCUMENT ROLES & RESPONSIBILITY MONITOR EMERGING THREATS INCREASE STAFF AWARENESS REGULARLY CREATE GOVERNANCE FRAMEWORKS FOR MORE EFFICIENT AUDITS AND SUSTAINABLE COMPLIANCE. KEEP YOUR FOCUS ON SECURITY & NOT ON COMPLIANCE Stuart Moen-Public-Draft-v01 27 Jun
47 NTT Com Security Proposed Approach Scope Reduction Assessment Data Discovery Scope Remediation Gap Analysis Control Remediation PCI Support Services PCI QSA Assessment or Scope Self-Assessment PCI Support Reduction Scope Data Gap Assessment Year Remediation Discovery Analysis Find areas Services Control 2+ Assistance of non-compliance Look Take Accurately for steps unexpected to reduce determine cardholder the the scope and Maintain Perform Begin work Remediation regularly with an assessment IT, support management, scheduled to data required of current Remediate PCI-DSS outside scope applicability the bounds of PCI-DSS of and the and staff activities to areas recommend such of non- PCI compliance intended activities complete a PCI ASV applicability therefore scope the to and prevent cost make of lastminute and surprises remediation realistic scans, to penetration solutions prepare and Report assess on Compliance (ROC) or for Self- tests, a PCI recommendations application assessment Assessment annually remediation assessment tests, Questionnaire and for reducing wireless (SAQ) suitable the scans for scope submission to processors or card brands PCI QSA Assessment or Self-Assessment Assistance Yousuf Faisal-Public-FINAL-v September
48 PCI Support Services PCI Req. Task NTT Com Security Service Approval and testing of firewall configurations 10 Track and monitor all access to network resources and cardholder data 1, 6, 11, 12 Various 3.4 Render PAN unreadable in storage 3.5, 3.6 Key management Managed Security Services Firewall Compliance Management Encryption and Key Management 5.1, 5.2 Deploy anti-virus Anti-Virus / Data Protection / Mobile Device Management 6.3, 6.5, 6.6 Develop secure software applications Code Review / WAF / App Sec Yousuf Faisal-Public-FINAL-v September
49 PCI Support Services PCI Req. Task 7, 8 Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access 10 Track and monitor all access to network resources and cardholder data 11.5 File-integrity monitoring 11.1 Wireless IDS/IPS 11.4 IDS/IPS 11.5 File-integrity monitoring NTT Com Security Service Authenticati on / Identity Management Security Information and Event Management (SIEM) Intrusion Detection/ Prevention Yousuf Faisal-Public-FINAL-v September
50 PCI Support Services PCI Req. Task 11.2 Internal and external network vulnerability scans 11.3, 6.6 * NTT Com Security is an Approved Scanning Vendor (ASV) Network penetration testing Application penetration testing NTT Com Security Service Vulnerability Scanning Penetration Testing 12 Policiesand procedures Policy& 1,2.2 Firewall, router, and system configuration standards Procedure Development 12.6 Security awareness training Training 12.2 AnnualRisk Assessment GRC Risk Insights 12.9 Incident Response GRC Yousuf Faisal-Public-FINAL-v September
51 -services/pcidss/pci-landing-page/ Q&A Yousuf Faisal-Public-FINAL-v September
52 Thank you M. Yousuf Faisal Principal Consultant - GRC & PCI Practice Lead PCI-QSA, PCIP, CISSP, CISM, CISA. 26 September 2014
Becoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationPCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.
PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationSAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationNetwork Segmentation
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationSession 2: Self Assessment Questionnaire
Session 2: Self Assessment Questionnaire and Network Scans Kurt Hagerman CISSP, QSA Director of IT Governance and Compliance Services Agenda Session 1: An Overview of the Payment Card Industry Session
More informationPCI DSS 3.0 and You Are You Ready?
PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationPCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
More informationSpokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A
Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Request for Proposals (RFP) for PCI DSS COMPLIANCE SERVICES Project # 15-49-9999-016 Addendum #1 - Q&A May 29,
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More informationHow Secure is Your Payment Card Data?
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
More informationPCI Compliance 2012 - The Road Ahead. October 2012 Hari Shah & Parthiv Sheth
PCI Compliance 2012 - The Road Ahead October 2012 Hari Shah & Parthiv Sheth What s the latest? Point-to-Point Encryption (P2PE) Program Guide Updated Solution Requirements and Testing Procedures for hardware-based
More informationData Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :
Data Security & PCI Compliance Securing Your Contact Center Session Name : Title Introducing Trevor Horwitz Pi Principal, i TrustNet t trevor.horwitz@trustnetinc.com John Simpson CIO, Noble Systems Corporation
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationLESS IS MORE PCI DSS SCOPING DEMYSTIFIED
LESS IS MORE PCI DSS SCOPING DEMYSTIFIED Lauren Holloway PCI Security Standards Council Emma Sutcliffe PCI Security Standards Council Session ID: Session Classification: DSP-W21 Intermediate Who s Here
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationPayment Card Industry - Data Security Standard (PCI-DSS) Security Policy
Payment Card Industry - Data Security Standard () Security Policy Version 1-0-0 3 rd February 2014 University of Leeds 2014 The intellectual property contained within this publication is the property of
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationPayment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationPCI Compliance 3.1. About Us
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
More informationCredit Cards and Oracle E-Business Suite Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
More informationThree Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010
Three Critical Success Factors for PCI Assessment Seth Peter NetSPI April 21, 2010 Introduction Seth Peter NetSPI Chief Technology Officer and Founder 15 year history of application, system, and network
More informationContinuous compliance through good governance
PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationRisk and Rewards For PCI DSS 3.1 Compliance. What Is PCI DSS?
Risk and Rewards For PCI DSS 3.1 Compliance What Risks Exist If I Don t Become Compliant? What Do I Gain For Being Compliant? What Is PCI DSS? PCI DSS is an acronym for Payment Card Industry (PCI) Data
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationPayment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationThe State of Security and Compliance for E- Commerce and Retail
The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationPCI DATA SECURITY STANDARD OVERVIEW
PCI DATA SECURITY STANDARD OVERVIEW According to Visa, All members, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard. In order to be PCI compliant,
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPCI DSS Presentation University of Cincinnati
PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI
More information5 TIPS TO PAY LESS FOR PCI COMPLIANCE
Ebook 5 TIPS TO PAY LESS FOR PCI COMPLIANCE SIMPLE STEPS TO REDUCE YOUR PCI SCOPE 2015 SecurityMetrics 5 TIPS TO PAY LESS FOR PCI COMPLIANCE 1 5 TIPS TO PAY LESS FOR PCI COMPLIANCE SIMPLE STEPS TO REDUCE
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationWhite Paper. Understanding & Deploying the PCI Data Security Standard
White Paper Understanding & Deploying the PCI Data Security Standard Executive Overview The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationPreparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013
Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition November 2013 Introductions Brian Serra PCI Practice Director Nick Puetz Managing Director - Strategic Services 2013 FishNet Security Inc. All
More informationPCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E
PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationIntroduction to PCI DSS
Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More information