1 So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA Data Security Analyst University of Michigan
2 PCI in Higher Ed Expected to accept credit cards Organizational complexity Higher Ed is not a traditional business
3 What this talk is not covering!
4 What this talk is covering! Network Connected Solutions
5 Why are we talking about PCI compliance!
6 Some slides contain way too much text. This is by design so this slide deck can be used as a reference.
7 Agenda When does PCI DSS apply? Who is the PCI Security Standards Council? PCI DSS 3.1 in detail Challenges?
8 When does PCI DSS apply? Payment Accepting Card Industry Data Security Standard And you hold the Merchant ID (MID)!
9 PCI Security Standards Council Launched 2006 Founders of the Council American Express Discover Financial Services JCB International MasterCard Visa Inc.
10 Standards Ecosystem PIN Transaction Security (PTS) Requirements Payment Application Data Security Std (PA-DSS) Data Security Standard (DSS) Point-to-Point Encryption Standard (P2PE) PCI DSS Designated Entities Supplemental Validation s e un nder J of offe s a w peat e N re for
11 You are here!
12 Consequences Loss of Reputation Enforcer - The Card Brands Assess penalties $500K fine Forensic investigation fees $10-20K and up Reimbursement of fraudulent purchases Card Replacement $20-30/ea Blacklisted - no longer able to take credit cards
13 Who Owns PCI Compliance! Most institutions: Bursar s or Treasurer's Office How is it reported: Depends on the Merchant Bank The merchant: Unit or Department that accepts credit cards : Merchant ID (MID) : May rely on other departments (such as IT)
14 The Transaction
15 The Players Issuer QSA Cardholder PA-QSA Merchant ISA Payment Gateway ASV Payment Applications QIR Acquiring/Merchant Bank Service Provider Internal Security Assessor (ISA)
16 Internal Stakeholders Administration Unit Development Networking Data Center Web hosting & application development IT Security Compliance Office
18 Merchant Bank / Merchant Acquirer Merchant Compliance Validation Prioritized Volume of transactions Potential risk Exposure introduced into the payment system Determines Level (1-4) Each card brand has its own but similar requirements Unlike other regulations (FERPA, HIPAA, etc.) PCI is a contract with the acquirer Also, the arbiter of questions on PCI interpretation
19 Level 1 Merchants processing 1 million to 6 million Visa transactions annually (all channels) Annual Report on Compliance ( ROC ) by Qualified Security Assessor ( QSA ) or Internal Auditor if signed by officer of the company The internal auditor is highly recommended to obtain the PCI SSC Internal Security Assessor ( ISA ) certification Quarterly network scan by Approved Scan Vendor ( ASV ) Attestation of Compliance Form
20 Level 2/3 2) Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 3) Merchants processing 20,000 to 1 million Visa e-commerce transactions annually Annual Self-Assessment Questionnaire ( SAQ ) Quarterly network scan by ASV Attestation of Compliance Form
21 Level 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual SAQ recommended Quarterly network scan by ASV if applicable Compliance validation requirements set by merchant bank
22 PCI DSS v Requirements 115 pages & over 350 controls Scope of PCI DSS Requirements page 10 Network Segmentation page 11 Best Practices for Implementing Business As Usual page 13 (April 2015)
24 Build and Maintain a Secure Network 1) Install and maintain a firewall configuration to protect cardholder data Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks Current diagram that shows all cardholder data flows across systems and networks 2) Do not use vendor-supplied defaults for system passwords and other security parameters. 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network Implement additional security features for any required services, protocols, or daemons that are considered to be insecure for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, filesharing, Telnet, FTP, etc.
25 Protect Cardholder Data 3) Protect stored cardholder data 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: 3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process 4) Encrypt transmission of cardholder data across open public networks 4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, 4.2 Never send unprotected PANs by end-user messaging technologies (for example, , instant messaging, SMS, chat, etc.).!!! e r u c e s d e r ger conside SSL a n o l o n e r a S nd early TL
26 Maintain a Vulnerability Management Program 5) Use and regularly update anti-virus software or programs 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. 6) Develop and maintain secure systems and applications 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as high, medium, or low ) to newly discovered security vulnerabilities. 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
27 Implement Strong Access Control Measures 7) Restrict access to cardholder data by business need-to-know 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.2 Establish an access control system for systems components that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. 8) Assign a unique ID to each person with computer access 8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components Change user passwords/passphrases at least once every 90 days. 9) Restrict physical access to cardholder data 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.
28 Regularly Monitor and Test Networks 10) Track and monitor all access to network resources and cardholder data 10.1 Implement audit trails to link all access to system components to each individual user Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). 11) Regularly test security systems and processes 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades) Implement a methodology for penetration testing that includes the following:
29 Maintain an Information Security Policy 12) Maintain a policy that addresses information security for all personnel 12.1 Establish, publish, maintain, and disseminate a security policy Implement a risk-assessment process that: Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures ent. en licies o p l era ies n Polic ific spec e b o eed t to CI e the P nvir nt, g e m n o likely t s o m n ffici ot su
30 But wait ---- There is more!!!
31 Self Assessment Questionnaire? The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment. Fact: if a merchant is accepting a payment card, the entirety of the PCI DSS always applies to them.
32 Which SAQ to use? First Determine Scope n i d t data The PCI DSS security requirements apply to all system components included in or connected to the cardholder e n d e environment. The cardholder data environment (CDE) is comprised of people, processes that store, process, u and technologies l m c n n include inetwork or transmit cardholder data or sensitive authentication data. System components devices, servers, o i r s tinclude butearennotv limited to the following: computing devices, and applications. Examples of system components n e Systems that provide security services (for example, authentication ta facilitate segmentation (for example, on daservers), p internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE. r om virtual eswitches/routers, Virtualization components such as virtual machines, virtual appliances, virtual c d l o applications/desktops, and hypervisors. m e h t d s Network components including but not limitedrto firewalls, switches, routers, wireless access points, network y s ca appliances, and other security appliances. l l e a h to web, application, database, authentication, mail, proxy, Network Time Protocol t Server types including but not limited o tsystem (DNS). (NTP), and Domain Name d e t all purchased and custom applications, including internal and external (for example, Internet) Applications including c e applications. n n o Any cother component or device located within or connected to the CDE. r o Payment Card Industry (PCI) Data Security Standard, v3.1 Page 10
33 Transaction Type: Card Present (Face to Face) ( ## ) approximate number of controls SAQ B (41) SAQ B-IP (83) SAQ C (139) SAQ C-VT (73) SAQ D (326) P2PE-HW (w/approved solution) (35)
34 Transaction Type: MO/TO ( ## ) approximate number of controls Mail Order SAQ A (14) SAQ B (41) SAQ B-IP (83) SAQ C (139) SAQ C-VT (73) SAQ D (326) P2PE-HW (w/approved solution) (35) / Telephone Order
35 Transaction Type: Card-not-present ( ## ) approximate number of controls SAQ A (14) SAQ A-EP (139) SAQ D (326) i.e. ecommerce
36 Meet the PCI 3.1 SAQ lineup: ecommerce Mail Order / Telephone Order Face to Face Yes (only ecommerce) Yes (or only MO/TO) No A-EP Yes No No B No Yes Yes B-IP No Yes Yes C No Yes Yes C-VT No Yes Yes D Yes Yes Yes P2PE-HW No Yes Yes SAQ A
37 Each SAQ has the following: Before You Begin - describes what type of merchant can use the SAQ Part 2g. Eligibility to Complete SAQ? - a signed attestation that requirements are met! Disclaimer - This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
38 MO/TO & ecommerce SAQ A
39 ecommerce SAQ A-EP
40 Swipe Terminal SAQ B-IP
41 POS SAQ C
42 VT Virtual Terminal POS SAQ C-
43 SAQ P2PE - HW
44 SAQ D
45 A Prioritized Approach
46 Shared Responsibilities But: Merchant - bottom line responsibility for compliance! Business as usual - not a check list Not a point in time - but a continual process No merchant has been found compliant after a breach! EMV (Chip & Signature) is a shift in liability! EMV is not part of compliance!
47 Reducing Scope Do not store credit card numbers Firewall & segment the network P2PE devices & solutions Prioritized approach Level 1 service provider PCI approved devices & applications
48 Challenges Lack of network maps and data flow diagrams Our vendor said they were PCI compliant so we are good - Right? Misinterpreting the requirements But doesn t xyz department / group do that for us? Reputational Risks Ever changing standards (minimally every 3 years)
49 PCI DSS is a good standard - make use of the fact you are compliant! Consider what parts of PCI make sense to use in other areas! Don t choose a SAQ and try to fit into it! SAQ D is not a bad thing! Remember to do the right thing!
50 Resources American Express: Discover Financial Services: JCB International: MasterCard: Visa Inc: Visa Europe:
51 Doug Cox GSEC, CPTE, PCI/ISA, MBA Data Security Analyst University of Michigan
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or firstname.lastname@example.org
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage
PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina email@example.com Payment Card Industry Data Security Standard (PCI DSS) Who Must
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES AGENDA PCI Players and Roles Merchant Requirements Keys To Successful PCI
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
Payment Card Industry - Data Security Standard () Security Policy Version 1-0-0 3 rd February 2014 University of Leeds 2014 The intellectual property contained within this publication is the property of
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0 October 2010 Document Changes Date Version Description October 1, 2008 1.2 October
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know
Payment Card Industry Data Security Standard Self-Assessment Questionnaire C-VT Guide Prepared for: University of Tennessee Merchants 12 April 2013 Prepared by: University of Tennessee System Administration
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing Contents PCI DSS Quick Reference
PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs firstname.lastname@example.org Ron King email@example.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM firstname.lastname@example.org What What is PCI A global forum launched in September 2006 for ongoing enhancement
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1 Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT...
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of