Payment Card Crime Hotels Face Great Security Risks
|
|
- Aron Wiggins
- 8 years ago
- Views:
Transcription
1 Payment Card Crime Hotels Face Great Security Risks What You Can Do to Protect You and Your Guests Payment Card Crime in the Hotel Industry Trafficking stolen payment card data is a thriving business. New security violations taking place in international, medium-sized and small companies are regularly published by the press. The estimated number of unreported successful attack cases is even much higher. According to current studies revealed by the payment card organizations, the hotel industry is a prime target for payment card fraud. Professional hacker groups and criminal insiders exploit the low level of security awareness vis-à-vis these kinds of risks, which is very common in this sector. High claims for compensation, loss of both image and of guest confidence and the termination of the payment card acceptance contract can be the consequences of successful payment card data compromise, thus posing a significant threat to your hotel business. Causes and Reasons The hotel industry offers payment card thieves a wide vector of attack. Payment card data is widely distributed. Many areas of the hotel receive process and store it. Payment card data is transmitted for reservations using very different ways (by phone, , fax or online) and reach the hotel long before the guest checks in. In addition to reservations there are, however, still many other scenarios in which payment cards are used in the hotel business. For example, this includes purchases in the hotel shop, booking sports and wellness offers in the spa and fitness area, payments at the hotel bar, in the restaurant, in the casino on the premises, etc. usd AG
2 Introducing Countermeasures In the beginning of 2005, the Payment Card Industry Data Security Standard (PCI DSS) was published by the international payment card organizations Visa, MasterCard, American Express, JCB, Discover and Diners to improve payment card data protection. The implementation of the security measures defined in this standard is mandatory for all companies which handle payment card data. Merchants and service providers are obliged to exercise due diligence. In most cases, hotels can use the Self-Assessment Questionnaire (SAQ) to attest compliance with the standard; if necessary, external security checks are performed. Our PCI Competence Center is at your disposal if you need further information. usd PCI Competence Center Our Competence Center provides consulting services to merchants regarding all aspects of the PCI Security Standard. You have questions regarding PCI requirements and conditions? You need any help in filling out the SAQ? We are happy to assist you. Telephone: What Can I do? Solutions don t always have to be complex and expensive. Numerous studies prove that more than three quarters of all attacks could have been avoided by simple means and with little (financial) effort. Based on our experience gained while working with numerous hotels, we listed the five most important subjects regarding payment card security within the hotel business. The following compact guideline, which you can follow step by step, will show you how to minimize your risk. At the same time, you will fulfill the most important requirements of the PCI Security Standard. Each of the following pages covers one subject. In addition to the description of vulnerabilities and possible attack vectors, we describe specific countermeasures. Using the check list on each page, you will be able to keep track of the measures to take and come closer to your goal step by step. In case you should have any questions, we will gladly provide you with the needed information. Please go to the last page for our contact data. usd AG
3 Responsible Payment Card Data Handling Payment cards are a preferred means of payment in the hotel environment. Accordingly, an abundance of payment card data is to be found on the computer systems in hotels as well as in their booking and accounting software. The large amount of data as well as poorly maintained software and computers attract criminals like a magnet. The risk to lose control over the security of payment card data increases with the amount of stored data as well as with the associated business processes and the number of staff members handling the data. At the same time, the effort to ensure compliance with the strict requirements of the PCI Security Standard increases. This standard applies to any IT system, employee and media (digital or print-out) which or who are in contact with payment card data. The most important principle is: reduced payment card data handling. The term payment card data refers to any data that is used in connection with a payment process. The less of this kind of data you permanently store, the less likely it is that this data will be stolen by attackers. Please note the following when storing payment card data: The payment card owner s name and the expiry date of the payment card may be stored. The payment card number may only be stored if it is encrypted or masked, for example. Masking means that only the first six and the last four payment card number digits show (e.g xx xxxx 3456). This process is often used when the card number has to be stored for controls and queries. Security features such as CVV2/CVC2 and PIN must never be stored, otherwise they will lose their security feature function. Perform an inventory of the data storage for payment cards Minimize retention period for payment card data Check secure storage/masking of payment card numbers Do not store payment card data security features We recommend to first conduct an inventory. How many storage areas do you have for your payment card data? Then think about how long you actually have to keep such data. Check your business processes and try to find out where payment card data usage is absolutely necessary. usd AG
4 Secure Hotel Management Software It is impossible to conduct a hotel business without effective Hotel Management Software (HMS). Usually, this program also stores and processes payment card data. Using an older version or a version that is not validated according to PCI PA-DSS means incurring a high risk. In these cases, data is very often not stored and processed in a secure way Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS) This security standard was developed by payment card organizations such as e.g. VISA and MasterCard especially for software which is intended to process, store or transmit payment card data. Software validation can be performed according to this standard. Rely on a Hotel Management Software that is validated according to PCI PA-DSS. Make sure that the software was installed and configured according to the manufacturer s instructions. For this purpose, the manufacturer has to supply a so-called Implementation Guide. Verify that your IT service provider who installs and maintains your software possesses the required security knowledge. Does the service provider know the requirements of the PCI DSS? Discuss with your software manufacturer and/or service provider how maintenance and up-dating is performed via the internet. Are the accesses secured? Is it possible to activate these accesses only during maintenance and to close them afterwards? Provide appropriate training for your staff regarding handling of the Hotel Management Software and make sure that payment card data is only stored on the software and not written down anywhere. However, using software that is validated according to PCI PA-DSS is not sufficient on its own. How was the software installed? Have you followed all the recommendations and measures specified by the software manufacturer? Do you use a service provider possessing both technical and the necessary security know-how? How, for example, is maintenance and updating of the software performed? Are there any unsecure or permanently open accesses for the software developer or service provider? These accesses might, however, also be used and misused by attackers. Check use of Hotel Management Software that is certified as being PCI PA-DSS compliant Ensure installation of the HMS according to Implementation Guide Check service provider s security know-how regarding PCI DSS Initiate staff training for secure handling of the HMS Arrange for protection/deactivation of HMS internet accesses usd AG
5 Reservations via or Fax It happens quite often that guests send reservations via or fax. These electronically transmitted messages frequently contain payment card information and are inherent security risks. 1. In order to minimize the number of unwanted reservation inquiries containing payment card data, you should always point out to your guests that sending payment card data via or fax is unsecure and also not necessary. 2. You should proceed as follows with the remaining unwanted reservation inquiries containing payment card data: 3. Delete the from your inbox and empty the electronic recycle bin in the program and the operating system. If necessary, print out the e- mail. 4. Discuss further measures for secure deletion of e- mails with your IT responsible person or your IT service provider (e.g. deletion from the server, use of specific deletion programs). 5. Transmit the reservation inquiry/payment card data into your Hotel Management Software. 6. If incoming faxes are automatically transformed into electronic form (e.g. into an ), please proceed as indicated in Points If reservation inquiries have to be saved, collect and store them safely in a folder, which should best be stored in a closed cabinet that is not accessible to the public. 6. If reservation inquiries no longer have to be saved or if you don t need them any more after the guests check out, make sure to destroy them safely. For this purpose, use a so-called secure document bin or a document shredder in compliance with Security Level 4. Staff who might receive s or faxes containing payment card data has to be trained in these procedures. Advise guests of the risk involved in sending payment card data via or fax Introduce procedures referring to the handling of s and faxes containing payment card information Discuss measures for secure deletion with the IT-responsible person/service provider Initiate training for staff who are in contact with payment card data usd AG
6 User Names and Passwords It is quite usual in the service area that the same access data (e.g. user name/password or chip card/pin) is used by different employees. This is called a group account. However, it is difficult to maintain control over the allocated group accounts. If an employee leaves the company, that person might pass the access data to unauthorized persons. Moreover numerous studies show that many users choose the same weak passwords, for example: Mousy123 Iloveyou Princess abc123 As a basic principle, only individual user names and passwords should be assigned. Do not share any user ID. Each employee has to choose and set a personal password after installation. You should always use secure, so-called complex passwords with a minimum length of seven digits and with a mix of uppercase and lowercase letters and digits. Here s a way to come up with secure passwords and memorize them: Here s a way to come up with secure passwords and memorize them: (1) Think of a sentence to remember (e.g., My 1st sentence to remember is perfect!) (2) You can then create your own password using the first character from each word, i.e.: M1ststrip! Short numerical sequences and regular words that are listed in the dictionary are, for example, especially easy to guess. They can easily be cracked by computer programs that repeatedly try all possible combinations and commonly used passwords fully automatically and at high speed. Software manufacturers assign initial default passwords that are often not changed during installation or thereafter. If this is the case, an attacker can easily gain administrative access to computer systems by using default password lists that are freely available on the internet. Your IT responsible persons or your IT service provider should be obligated to change default passwords. Due to the potentially high threat, Visa Europe has published a separate hand-out about password security Terminate the use of group accounts Obligate staff and service providers to use complex passwords Technically enforce the use of complex passwords Obligate IT responsible persons and service providers to change all default passwords usd AG
7 Secure Network for You and Your Guests Many hotels offer their guests access to the internet. There are major risks involved if the network (nonwireless or by WLAN) designated for your guests' internet access is connected to the hotel office network. Attackers can try to get into the hotel office network and gain access to payment information by using the guests network, which is usually open. WLAN is a notable example of a system that is not confined to the inside of the hotel building as it is readily accessible for anybody on the street. Missing or weak encryption (such as WEP) of the communication connection and insufficient protection of the WLAN access points enable attackers to penetrate the office network. Another weak point is the access to the WLAN access points settings. Manufacturers of WLAN hardware assign default passwords for the access to the settings. Anybody who knows the default passwords published on the internet is able to cause malfunctions (such as turning off the WLAN system), steal data and deactivate encryption. The name of the access stations (the socalled SSID ), preconfigured by the manufacturer, is frequently left unchanged, which additionally facilitates successful attacks. Separate the network for the guests from your office network whenever possible. A physical separation is the best solution, i.e. a separate wiring system and separate data processing. If this is not possible, instruct an IT service provider who will then separate the networks logically using appropriate protection measures (e.g. a firewall), thus providing and operating secure guest networks independently from your office network. Guests will receive the access data for the internet access free of charge or by means of a prepaid voucher. This way, you know who uses your guest network and the guest doesn t have to disclose any payment card data to activate the internet access. Instruct your IT responsible person or your IT service provider to secure the access points and your hotel office WLANs. Instruct them to install strong encryption technology (such as WPA2), to use strong encryption passwords as well as to regularly change the passwords (especially if persons familiar with the passwords leave the company). Change the name (the so-called SSID) of the WLAN access points. Change the default passwords for the access to the settings of the WLAN access points. Also use complex passwords in this context. Separate guest network for internet access from the office network of the hotel Hire specialized providers for the provision of guest networks Introduce vouchers or individual access data for the internet access activation Activate secure WLAN encryption (e.g. WPA2) Establish protection of access points and wireless networks (by service provider) usd AG
8 About usd AG As an IT security consulting company, we support companies in all aspects of payment card security. This includes technical aspects such as security scans, penetration tests, risk analysis, staff training or the implementation of security processes. However, our core business is providing conceptual consulting services and successfully certifying our customers according to the international security standards of the payment card industry. We do not sell specific products but rather provide independent and objective consulting services to our customers. Information and Support Do you have any questions or do you need any support? We are at your disposal and would be happy to help you. Telephone: Telefax: Internet: Robert-Bosch-Straße 25 a Langen Our expertise is based on many years of experience in the IT security and systems engineering fields as well as in the practical application of the BSI, ISO27001 and PCI security standards. As Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV), accredited by the PCI Council, we are authorized to certify companies throughout Europe according to PCI DSS and PCI PA-DSS. Together we analyze your situation and find integrated solutions with an eye to risks, feasibility and budget. usd AG
Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationSecurityMetrics. PCI Starter Kit
SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationData Security for the Hospitality
M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationOffice of Finance and Treasury
Office of Finance and Treasury How to Accept & Process Credit and Debit Card Transactions Procedure Related Policy Title Credit Card Processing Policy For University Merchant Locations Responsible Executive
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More information6-8065 Payment Card Industry Compliance
0 0 0 Yosemite Community College District Policies and Administrative Procedures No. -0 Policy -0 Payment Card Industry Compliance Yosemite Community College District will comply with the Payment Card
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationCOLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL
PAYMENT CARD INDUSTRY COMPLIANCE (PCI) Effective June 1, 2011 Page 1 of 6 (1) Definitions a. Payment Card Industry Data Security Standards (PCI-DSS): A set of standards established by the Payment Card
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationPayment Card Industry Data Security Standards Compliance
Payment Card Industry Data Security Standards Compliance Please turn off, or to vibrate, all cell-phones/electronics Expected course length: 1 Hour Questions are welcomed. Who Created It? & What Is It?
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationProtecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh
Protecting Your Customers' Card Data Presented By: Oliver Pinson-Roxburgh Agenda Trustwave Overview PCI Scope Compromise Statistics PCI Makes Business Sense Registration Process TrustKeeper Features Support
More informationPCI DSS and SSC what are these?
PCI DSS and SSC what are these? What does PCI DSS mean? PCI DSS is the English acronym for Payment Card Industry Data Security Standard. What is the PCI DSS programme? The bank card data, which are the
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationDartmouth College Merchant Credit Card Policy for Managers and Supervisors
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationPCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationInformation for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)
Postbank P.O.S. Transact GmbH (now EVO Kartenakzeptanz GmbH) has recently been purchased by EVO Payments International Group Program implementation details for merchants Payment Card Industry Data Security
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More informationComplying with Payment Card Industry Data Security Standards (PCI DSS) Requirements. Approaches in Higher Education
September 28, 2010 Complying with Payment Card Industry Data Security Standards (PCI DSS) Requirements Approaches in Higher Education Dennis W. Reedy Managing Director, Treasury Operations Indiana University
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationA MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationStandard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011. Information Supplement: Protecting Telephone-based Payment Card Data
Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011 Information Supplement: Protecting Telephone-based Payment Card Data Table of Contents Executive Summary 3 Clarification of
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationPayment Card Industry Compliance Overview
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationFraud - Preparing Data Card Transactions
Liverpool Hope University PCI DSS Policy Document Control Date Revision/Amendment Details & Reason Author 26 th March 2015 Updates G. Donelan 23 rd June 2015 Audit Committee 7 th July 2015 University Council
More information* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
More information1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education
PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI
More informationPayment Card Industry Data Security Standards.
Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing
More informationCredit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationCustomer Card Data Security and You
Customer Card Data Security and You 01 What Is Global Fortress? Global Fortress is designed as a first line defence to provide you with the resources to help you in your fight against fraudsters. It simplifies
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationsafe and sound processing online card payments securely
safe and sound processing online card payments securely Executive summary The following information and guidance is intended to provide key payment security advice to new or existing merchants who trade
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationThird-Party Access and Management Policy
Third-Party Access and Management Policy Version Date Change/s Author/s Approver/s Dean of Information Services 1.0 01/01/2013 Initial written policy. Kyle Johnson Executive Director for Compliance and
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationWhat You Need to Know About PCI SSC. 2014 Guiding open standards for global payment card security
What You Need to Know About PCI SSC 2014 About the PCI Council Founded in 2006 - Guiding open standards for payment card security Development Management Education Awareness Expanding Global Representation
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationHow SafenSoft TPSecure can help. Compliance
How SafenSoft TPSecure can help with PCI DSS Compliance June 2011 Tel: 1-866-846-6779 Fax: 1-408 273 Executive Summary In an era of increasingly sophisticated attacks on systems, it is vital that any business
More informationA Compliance Overview for the Payment Card Industry (PCI)
A Compliance Overview for the Payment Card Industry (PCI) Many organizations are aware of the Payment Card Industry (PCI) and PCI compliance but are unsure if they are doing everything necessary. This
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More information