White Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance
|
|
- Douglas Flowers
- 8 years ago
- Views:
Transcription
1 White Paper Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance
2 Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Executive Overview Cyber-attacks designed for financial gain are on the rise, targeting proprietary information including customer and financial information. With over 127 million records exposed in 2007 in the US alone, attacks have become more sophisticated, involving not only attacks at both the network layer and the application layer but also other attack vectors such as social manipulation, breakdown in internal security processes and trusted insider abuse. The cost to businesses, in lost revenue and customer loss, can be staggering. TJX estimates that it spent over $20M related to its late 2006 breach, including settling lawsuits and addressing data security issues. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations secure cardholder processing environments. Formed in 2004 by Visa, MasterCard, American Express, Discover, and JCB, in response to the emerging threat to cardholder information, the PCI Standard Security Council (PCI SSC) provides 12 requirements that must be met for compliance with the standard; failure to do so may result in steep fines that can reach in the hundreds of thousands of dollars. PCI DSS V1.2, the latest update, was released in October 2008; the complete document, as well as what is new with V1.2 can be found at the PCI Security Standards Council website. Best practices to effectively secure the cardholder environment and achieve compliance with the standard start with a properly documented, executive management endorsed, information security policy that must be broadly communicated, tested and enforced. These best practices also include understanding the organization s cardholder data environment (where the data is located and stored and how it moves between applications), regular monitoring of network for potential vulnerabilities, on-going reporting of network activity, and regular inside and third-party penetration testing. Data Breach Profile Targeted, financially motivated attacks via the Internet continue to be on the rise, fueled even further by current economic factors. Internally originated threats are still considered to be a primary cause of security breaches, but external attacks are still a very serious threat. When asked at a recent e-crime Survey who caused more damage, internal or external attacks, the distribution was fairly even, at 34% vs. 37%, respectively. Acquiring unsecured financial information is the primary objective of hackers and organized crime in order to fuel a thriving black market for stolen credit card numbers, bank accounts, passwords, personal identification numbers and other data. With dramatically reduced budgets, the associated layoffs and fierce competition for revenues, industrial espionage is also likely to pose an increased threat. These attacks not only target online retailers but also, increasingly, higher education, government, manufacturing and bio-medical organizations. Furthermore, breaches now also occur on point-of-sale, back office, and wireless technology systems. Recent reported vulnerabilities, also on the rise (Figure 1), include SQL injections, poor/default server configuration, and Cross Site Scripting.
3 Figure 1 Based on US Computer Emergency Readiness Team (CERT) Vulnerability Remediation Statistics; (total # of vulnerabilities cataloged based on public sources or directly submitted to CERT) *2008 estimated based on actual information through 3Q2008 The Business Threat According to the Identity Theft Resource Center (ITRC), in 2007 the total number of records containing sensitive personal information involved in security breaches was 127,726,343, involving companies that span all industries retail, education, financial, government, telecommunications, healthcare, publishing, manufacturing, bio-med no industry was immune. All companies handle personal information of some type, which subjects them to attack. Recently, the most successful attacks have been sophisticated, targeting particular organizations and designed for financial gain. Attacks have become more complex and involve other factors such as social engineering, insider abuse, and process breakdown in addition to technology weaknesses. While the impact of the loss of personal information can be traumatic for consumers, who must go through the anxiety and remediation steps of potential or real identity theft, the cost to businesses can be staggering. Fines, loss of revenue, loss of customer loyalty, irreparable damage to brand or image, have all been experienced by organizations that have been hit by a data breach.
4 Payment Card Industry Data Security Standard (PCI DSS) To combat data theft, the major credit card companies created a Data Security Standard that requires merchants, web-based retailers, and service providers that accept or process credit cards to comply with well-defined security directives. According to the standard, all members, merchants, and service providers that store, process, or transmit cardholder data must meet specific security requirements, which necessitate building a secure network and maintaining a vulnerability management program (see Table 1). To demonstrate compliance, most merchants and service providers must provide security assessments and perform quarterly network scans to locate and fix vulnerabilities to mitigate the risk of intrusion. Those organizations found not to be in compliance can face hefty penalties, in the hundreds of millions of dollars, if data breaches are discovered. Merchant Validation Requirements 1 Level/Tier Merchant Criteria Validation Requirements (Annual Transactions) 1 Over 6 million Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) 2 1 to 6 million (all channels) 3 20K to 1 million Annual SAQ Quarterly network scan by Approved Scan Vendor (ASV) Annual Self-Assessment Questionnaire (SAQ) Attestation of Compliance Form Quarterly network scan by ASV Attestation of Compliance Form 4 Less than 20K e-commerce and all other merchants processing up to 1 Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirement set by acquirer million Table 1: Merchant Validation Requirements PCI DSS is designed to facilitate global adoption of consistent data security measures to eliminate the loss of cardholder information, and clearly defines the steps needed to secure a networked environment. The scope of these requirements is broad but straightforward, giving direction to the service providers and merchants on what technologies, policies and procedures are needed to achieve compliance. PCI DSS incorporates best practices for perimeter security, data privacy, and application security. Lacking any other guide to network security, the PCI DSS has been used by many network security professionals to develop a network security plan. But more specifically, the PCI DSS is a framework of best practice requirements for those companies that handle sensitive credit card data to ensure that they properly protect that information. By banding together and supporting the PCI DSS, the major credit card companies have developed momentum for standard adoption.
5 Even though merchant compliance is up significantly (by end of 2007, 77% of large merchants vs. 12% in March 2006, and 62% of midsize merchants vs. 15% in 2006, according to a report issued by Visa in early 2008), a recent Gartner report 1 indicates that newly released statistics show Visa making strong progress in driving Payment Card Industry security compliance but other card brands compliance efforts, and PCI Security Council communications, still need improvement. Merchants that fail to meet the standards risk stiff penalties imposed for non-compliance. According to Visa, penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions. And these new regulations are holding all merchants, regardless of size, to much higher standards of performance when it comes to protecting the financial and personal information of their customers. What is PCI Compliance? The PCI DSS requires any merchant, processor, point-of-sale vendors, financial institutions and payment companies to implement processes, procedures and technology to protect credit card information. There are twelve PCI DSSrequired controls that cover access management, network security, incident response, network monitoring and testing and information security policies: Build and Maintain a Secure Network (*) Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update antivirus software Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Regularly Monitor and Test Networks (*) Maintain an Information Security Policy Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security * PCI DSS also provides guidelines to prevent breaches involving wireless networks used in environments that contain credit card data: 1. Firewall segmentation between wireless networks and POS networks 2. Use of a wireless analyzer to detect unauthorized wireless devices and attacks 1 Gartner Research Report PCI Compliance Grows but Major Industry Problems Remain, by Avivah Lilan, January 2008
6 As stated in Table 1, the process to become PCI DSS compliant requires that many organizations complete a detailed self-assessment questionnaire and receive quarterly network vulnerability scans for all Internet facing systems from an independent scanning vendor. PCI SSC New Self-Assessment Questionnaire (SAQ) Summary V1.2 is designed to help organizations determine which SAQ is appropriate for their company. For merchants that execute 6 million or more transactions annually, the regulations require a detailed onsite assessment. In addition, merchants who experience an incident will automatically be treated as a level 1 merchant, and are therefore required to employ a Qualified Security Assessor to audit the cardholder environment, at the discretion of the PCI Security Council in conjunction with Visa/MC. Regardless of transaction rate or company size, failure to comply can lead to steep penalties and unwanted publicity. News of a security breach taints brand image, reduces consumer trust and results in serious fines and class action lawsuits from consumers or banks that have to reissue new credit cards. Best Practices to Enable PCI Compliance Policies, processes and training are as important to PCI compliance as the technologies that are implemented. Network and security administrators must be guided by policies that embed the security standard s requirements into ongoing operational activities. Developing security best practices will help organizations put the controls in place to achieve and maintain PCI compliance. These best practices must include: A formal Information Security Policy supported by executive management Broad communication, training, testing and enforcement of policies and processes Constant and accurate knowledge of location and movement of cardholder data Implementation of an enterprise level vulnerability assessment program, including regular monitoring of network for potential vulnerabilities Reporting of network activity and log entries to quickly react to attacks and to validate effectiveness of policies and technologies Validation of third-party as well as custom applications in the cardholder environment Regular third-party testing Define Security Policies An organization entrusted with cardholder information must develop an information security policy focused on protecting this sensitive data from unauthorized access and from the risk of identity theft. The security policy is a formal definition of what is allowed and what is not allowed, including acceptable use of systems, applications and data for all categories of users, including the administrators. This policy must have executive management support, must be fully documented and should be reviewed at minimum annually, allowing for new requirements and updates as identified by audits and feedback. Roles and responsibilities need to be defined and employees need to understand how he or she contributes to the security of the organization. Implementing industry defined security policies from Microsoft, NSA, the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) is a good first step in ensuring that networks are properly secured.
7 Communication, Training, Testing & Enforcement Once an information security policy has been defined, it must be communicated throughout the organization. Proper communication must include a required training process whereby users learn policy procedures as well as their roles and responsibilities; they also learn about the implications of not complying with the organization s policies. A comprehensive test should be administered to validate successful completion of this important training. To maximize the effectiveness of the policies, it is imperative that organizations strictly enforce them. It is important to note that training must also include external users that have access to the data infrastructure. For example, for simplicity many merchants unfortunately use generic usernames and passwords to access point-of-sale systems; since a critical aspect of the security policy must ensure knowledge of who is accessing what information and from where, these merchants must be trained to use specific names and passwords, and to change them according to the organization s password policy. A clear goal of training an organization about the information security policy is to address the growing problem of Social Engineering. Social engineering is a term that describes the non-technical intrusion into an organization s data environment that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional con games where one person is duped because they are naturally trusting, social engineers will use any technique to gain unauthorized information. Social engineering techniques include everything from phone calls with urgent requests to people with administrative privileges to viruses lurking behind messages that attempt to lure the user into opening the attachments. Most people have a tendency to trust others. The naïve insider who falls for a phishing scam or takes a phone call from someone who needs inside information occurs frequently in the workplace. Employees need to be trained on social engineering tricks, on what constitutes sensitive information, and how revealing seemingly unimportant data can result in unauthorized access. Training should include security policies and procedures on credit card acceptance and incident response. Some organizations periodically test for social engineering exposure by calling individuals from a phone number without caller id and asking some simple questions to try to learn about the business from the employee on the phone. It is considered a best practice to integrate audit response validation around the manipulation of the human element. Where is the Data? PCI DSS V1.2 illustrates the different types of requirements that apply to cardholder data and sensitive authentication data -- whether or not storage of the data is permitted and whether the data must be protected: Cardholder Data Data Element Primary Account Number (PAN) Storage Permitted Protection Required Yes Yes Yes Cardholder Name Yes Yes No Service Code Yes Yes No Expiration Date Yes Yes No Sensitive Authentication Data* Full Magnetic Stripe Data No N/A N/A Table 2 PCI DSS CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A * Must not be stored after authentication (even if encrypted)
8 Unfortunately, it is common practice for employees to duplicate data in spreadsheets, documents and other unsecured files to share with others and simplify business processes, unknowingly exposing the company to violations. Unnecessarily storing credit card data and failing to isolate the data from traveling across less secure parts of the network compounds the problem. Encryption is often inconsistent across a company s computer system and credit card data may be protected in some instances, but not others. Organizations are often not aware of systems that have retained cardholder data such as data warehouses, staging servers, backup systems, desktops or other systems that for some reason received a copy of a transaction. Understanding where cardholder data is stored and where it moves through the network and whether it is encrypted is a critical step in beginning to put together a PCI strategy designed to protect it. Only when the location of the data is known can it be protected from unauthorized access. As stated above, retaining full magnetic stripe or CVV2 data is in violation of the PCI DSS requirements. The PCI standard only allows the account number, expiration date and name to be retained and cardholder data must never be stored on a server connected to the Internet. When asking for a CVV2 code, it must not be documented or recorded on any database after transaction authorization. PCI compliance is more easily achieved by reducing the amount of cardholder data that is stored, and reducing the number of systems that touch it. Organizations may need to restructure their network to consolidate all systems that handle credit card transactions into a single network segment. By doing so, the risk of compromise is reduced, the management and execution of the compliance process is simplified, and the scope of PCI compliance validation efforts is contained. In addition, steps can be taken to mitigate risk via IT procedural policies. For example, IT organizations can conduct regular scans of public/private networks to expose sensitive cardholder information vulnerabilities and take the necessary remediation steps. Organizations using wireless networks to connect remote locations to the central database for data consolidation either need to provide strong encryption for the data for transfer or may want to consider moving to a more secure medium such as secure point-to-point virtual private network connections. Vulnerability Program Monitoring of Network for Potential Vulnerabilities The networked environment is not static new systems are introduced, laptops come in an out of the network, new software and upgrades get installed regularly. Regularly scanning the network environment for software vulnerabilities and abnormal activity is paramount to network security and is an important PCI objective (#3), which requires quarterly network scans; it ensures that network administrators keep track of activity that could introduce new exposures. Scanning often uncovers new exposures introduced by updates, new systems, new software or other changes to the environment. As noted earlier in the paper, vulnerabilities continue to be on the rise and constitute a serious security exposure. Organizations with online e-commerce application should protect against SQL injection attacks caused by insecure shopping carts. The credit card companies have created lists of validated applications that should be considered for use. Even if a proven shopping cart is used, in many organizations Internet facing systems must be scanned quarterly for vulnerabilities that could compromise the online business. Reporting Required for Compliance, to Monitor Effectiveness, to Respond to Attacks PCI compliance requires detailed documentation and reporting; PCI DSS V1.2 includes a template to be used for creating the Report on Compliance. This template outlines the need to document, the four most recent quarterly scan results; detailed report descriptions and findings on each requirement and sub-requirement; details on specific devices, vulnerabilities and transmission; and processing of cardholder data, including authorization, capture, settlement, charge-back and other flows as applicable, among other things. To support the requirements of the report, organizations must document how the security policy is implemented to protect cardholder data. A
9 frequently updated document that proves that security policies, practices and tools are in place to maintain the confidentiality of cardholder data will also come in extremely handy if the network is breached and data is stolen. To ensure that the necessary information is properly documented to prove compliance as required by PCI DSS, organizations must ensure that every security technology implemented comes with strong reporting capabilities. The reports delivered help security staff understand the effectiveness of security programs and whether policies need to be updated or modified. Robust reporting can help identify instances when malicious hackers or anyone without authorization tries to access cardholder data, and thus take the necessary steps to respond. Installing products that centrally manage the IT assets and push out software patches and antivirus updates to the systems ensures all remote sites are up to date with security software. Being able to log and audit all transactions involving cardholder data is required by PCI. Selecting Validated Payment Applications Any software vendor that develops applications for processing credit card payment should have the software validated by a third-party, Visa-accredited assessor as part of their development process. The card associations have developed a set of voluntary application best practices, the Payment Application Data Security Standard (PA-DSS), for software providers that ensure an acceptable level of security and reduce the scope and costs of compliance. These best practices also pertain to custom applications developed specifically for an organization: Do not retain full magnetic strip or CVV2 data Cardholder data must not be recorded in any file or database including logs, diagnostic files, audit trails, transaction history, and images. If cardholder information must be stored, it should never be stored on a server connected to the Internet. Protect stored data Any displayed cardholder data used to populate forms must be masked. Provide secure passwords features Unique usernames and complex passwords for all administrative access and access to cardholder data must be used. Log application activity Records and audit trails of anyone who accesses cardholder data must be retained. Develop secure applications System development practices, secure coding practices, code reviews and security testing must be implemented; non-essential application accounts, usernames, and passwords, unnecessary and insecure services and protocols must be removed before applications go live. Protect wireless transmissions Strongly encrypted wireless connections deployed outside firewalls must be in place. Test applications to address vulnerabilities All applications, especially those running on Internet facing systems must be scanned, before they are deployed and regularly thereafter to ensure no exposures were introduced via upgrades or bug fixes. Facilitate secure network implementation Remote access to the network needs to be secured via firewalls, VPNs, and two-factor authentication (username/password plus token). If the application transmits cardholder data, it much be encrypted, especially over public networks. All non-console administrative access must also be encrypted.
10 Third Party Assistance Much assistance is available to organizations striving to protect the cardholder environment and achieve PCI compliance. DSS trains and certifies third-parties to help with the process. For some organizations, third-party involvement is required to validate compliance but for all organizations it is required to perform quarterly network scans. The largest (Level 1) merchants are required to have annual on-site assessments by Qualified Security Assessors (QSA s); other merchants may choose to use these expensive QSA s to help validate compliance but for Level 2 4 merchants the Self-Assessment Questionnaire (SAQ) is all that is mandated. Many merchants are required to use Approved Scan Vendors (ASV s) for their mandatory quarterly scans. Using security consultants that are experienced in holistically testing organizations security is highly recommended. These consultants understand the threat and vulnerability landscape and know what needs to be tested to validate effective policies and practices. They are also skilled at training organizations on best practices that must be adopted to fully deploy security policies. Achieving PCI DSS Compliance Achieving PCI DSS compliance is no longer an option but a mandatory business requirement for any business that wants to maintain customer relationships. Effective security policies that continuously assess and remediate enterprise systems keep businesses compliant. By ensuring a continuous state of compliance, organizations can proactively eliminate threats which exploit the ever changing network landscape, protect their cardholder environment and ensure ongoing compliance. PCI DSS has been put in place to provide valuable guidance and direction to organizations that must protect the cardholder environment; it includes requirements that organizations must follow. Information security best practices will help organizations achieve and maintain PCI compliance. About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7 s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a Top Place to Work by the Boston Globe. Its products are top rated by Gartner, Forrester and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit com. PCI BP 1208 (Footnotes) 1 Visa November 10, 2008 Press Release: Visa Sets Global DSS Deadlines
White Paper. Understanding & Deploying the PCI Data Security Standard
White Paper Understanding & Deploying the PCI Data Security Standard Executive Overview The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard designed to help organizations
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationPreventing. Payment Card Fraud. Is your business protected?
BY TROY HAWES Preventing Payment Card Fraud Is your business protected? AT A GLANCE + The theft of credit card payment data by hackers is not limited to large corporations. + Many smaller companies fall
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationSecurityMetrics. PCI Starter Kit
SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationCREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011
CREDIT CARD MERCHANT PROCEDURES MANUAL Effective Date: 5/25/2011 Updated: May 25, 2011 TABLE OF CONTENTS Introduction... 1 Third-Party Vendors... 1 Merchant Account Set-up... 2 Personnel Requirements...
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More information* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationPCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationQ: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com
PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationPROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN
PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information
More informationThe State of Security and Compliance for E- Commerce and Retail
The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against
More informationIt is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
PCI FAQ And MYTHS FREQUENTLY ASKED QUESTIONS (FAQ): Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process,
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationPCI DSS Presentation University of Cincinnati
PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
More informationPDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)
PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationA MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationProperty of CampusGuard. Compliance With The PCI DSS
Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know
More informationPCI DSS Compliance Guide
PCI DSS Compliance Guide 2009 Rapid7 PCI DSS Compliance Guide What is the PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As a result,
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
More informationVaronis Systems & The Payment Card Industry Data Security Standard (PCI DSS)
CONTENTS OF THIS WHITE PAPER Overview... 1 Background... 1 Who Needs To Comply... 1 What Is Considered Sensitive Data... 2 What Are the Costs/Risks of Non-Compliance... 2 How Varonis Helps With PCI Compliance...
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationsafe and sound processing online card payments securely
safe and sound processing online card payments securely Executive summary The following information and guidance is intended to provide key payment security advice to new or existing merchants who trade
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationPCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv
PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv Security Challenges Desirability of Data 80% of all data breaches is payment card data (Verizon RISK team assessment)
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationInformation Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationPCI DSS v2.0. Compliance Guide
PCI DSS v2.0 Compliance Guide May 2012 PCI DSS v2.0 Compliance Guide What is PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As
More informationMEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM
MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM PCI DSS 1.1 compliance requirements demand a new level of administration and oversight for merchants, banks and service providers to maintain
More informationPayment Card Industry Data Security Standard (PCI DSS) v1.2
Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More information