PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv"

Transcription

1 PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv

2 Security Challenges Desirability of Data 80% of all data breaches is payment card data (Verizon RISK team assessment) Cardholder data is easily sold in the underground economy for as much as $25 per card (Symantec Corp) Credit card information is the highest percentage of goods sold on the black market (Symantec Corp) Evolving Threats 91% of all compromised records were linked to organized crime groups (Verizon RISK team) Sophistication of attacks are shifting from obvious, physically accessible targets to less obvious targets and less physically secure data 2

3 Security Challenges -- continued Merchant s Core Competency Hard to maintain compliance 81% of breached merchants were found to be noncompliant and that compliance would have prevented the breach (Verizon Data Breach Assessment) In 66% of the cases, the breach involved data the company didn t even know was in their system. 3

4 Current Security Environment Over 60% of all websites impacted Serious vulnerability in Open SSL that allows attackers to: eavesdrop on communications steal data directly from the services and users impersonate services and users Versions of OpenSSL through 1.0.1f if in use, can be abused OpenSSL 1.0.1g released on 7th of April, 2014 fixes the bug. Copyright

5 Current Security Environment As of April 8, 2014 XP is no longer supported Over 95 percent of the world s ATMs are running on XP System running XP will be five times more vulnerable to security risks such as viruses and malware New POS/ATM devices will no longer be compatible with XP Achieving PCI DSS compliance on XP is virtually impossible Copyright

6 Windows XP and PCI Compliance IMPORTANT SECURITY NOTICE - On April 8, 2014, Microsoft ceased support for the Windows XP operating system. This marks the official end of technical support and security updates from Microsoft. Security updates help keep your system and data safe by patching vulnerabilities that may be exploited by malicious individuals. Computers running Windows XP after April 8, 2014 should not be considered to be protected, and it is important that you migrate to a more current operating system. If your organization continues to run the Windows XP Operating System after Microsoft's end-oflife date of April 8, 2014, it will no longer be compliant with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS Requirements 6.1 and 6.2 address the need to keep systems up to date with vendorsupplied security patches in order to protect systems from known vulnerabilities. If you have not already begun making plans to upgrade or replace your systems running XP, now is the time to do so. For more information please visit the following address: pcisecuritystandards.org

7 Current Security Environment Even large multi-national organizations are only as good as their weakest link, who has access to your system? Copyright

8 Breach Costs 4 Critical Areas Forensic Audit Expense Replacement & Monitoring Compliance Cases & ADCR Association Fines Cost of mandatory 3 rd party forensic investigation required by card associations for suspected or confirmed breaches. Issuer cost associated with compromised card replacement or account monitoring to watch for potential fraud. Issuer fraud loss recovery from fraudulent transactions attributable to the breach. Non-compliance fines may be assessed depending on size of the business and circumstances that led to breach. Potential Costs Associated with a Breach: $8k - $20k for Level 4 Merchants (one location). $3 - $5 per card replacement. Depends on the size and scale of breach. Ranges from $5,000 to $500,000. 8

9 Impact of Failure Average Impact of data breach: 8.1% customer defections* 8.0% revenue decline* 8.0% decline in stock price* (*IT Policy Compliance Group) 3 out of 4 customers won t shop again at a compromised merchant (Verizon Data Breach report) 9

10 The Reality of Card Data Compromise Card Data Compromises: An Analysis Business Type by Percentage Brick & Mortar 1% ecommerce 24% MOTO Card Present 73% 24% 75% 75% Historically, card present merchants have been targeted by thieves and hackers, but now those with the most vulnerability are being targeted. Source: Trustwave (based upon total number of breach events) 10

11 Historical State of the Industry (2008/2009) Challenges by the Numbers The average cost of a data breach is $202 per record. For a large-scale breach, it is about $6.6 million. 3 Payment data breaches represented 98% of all data breaches in More than 280 million payment card records were breached in Trustwave Global Security Report Verizon 2009 Data Breach Investigations Report 3 Ponemon Institute, 2008 Annual Study: Cost of a Data Breach A significant data breach at one PCI Level 1 Retailer has cost over $250 million so far

12 in 2011 The average cost of a data breach is down to $194 per record. Cost per breach is about $5.5 million. 3 Decreases for the first time in 7 years. 3 What is one conclusion we might be able to draw from these decreases? 1 Trustwave Global Security Report Verizon 2009 Data Breach Investigations Report 3 Ponemon Institute, Annual Study: Cost of a Data Breach FBI Director Robert Mueller: There are only two types of companies. Those that have been hacked and those that will be.

13 Card Breach Five Key Issues Prohibited data storage by smaller merchants A recent resurgence of SQL injection attacks against E-commerce merchants Packet Sniffers and Key Stroke Loggers Often installed by exploiting insecure remote access or poor network configuration Debugging Software/Volatile Memory Parsing Vulnerability of even Payment Application (PA) DSS validated applications to some attack vectors Highlighting the need for full compliance 13

14 2011 Data Breach Investigations Report Verizon, 2011 # Employees Incidents Percentage % % 101-1, % 1,001-10, % 10, , % 100, % Unknown % Total % 14

15 2.4 Million Cards Card Numbers & Expiration Dates were being lifted from processing systems using malware (malicious software) Data was then sold on the black market and used on fake cards around the country Stolen over a 3-month period 15

16 It s not whether the merchant will be breached but when Type of attack Attack vector # Cards Network Data in flight Network Data at rest Network Data in flight SQL injection SQL Injection SQL Injection Total damages 130 million $140MM 94 million $256MM 4.2 million $252MM Est. Network N/A 1.5 million $90MM Est. Physical Terminal tamper 94K $5.6MM Est. 250 million + ~ $750MM

17 We re seeing a lot of issues that are caused by the low-hanging fruit, the simple things that just don t get done, said Aaron Weller, managing director of data protection and privacy practice at PricewaterhouseCoopers Inc. You see people every day using unencrypted USB keys and losing thousands of records. It s not always the hard stuff that hurts you. Oftentimes, it s the simple stuff.

18 Security experts interviewed by the St. Louis Post- Dispatch say that hacks like Schnucks are on the rise as hacker gangs, many based in Eastern Europe, go after smaller, regional businesses that they see as easy targets. Grocery store chains are especially vulnerable, some experts note, because they operate on thin margins and may not have the budgets to spend on data security.

19 Payment Card Industry (PCI) Compliance

20 Card Data Security How Secure is Your Cardholder Data? Building Your Foundation Through PCI Data Security Standard (DSS) Compliance How will you Protect your business and customer data? Protecting Against a Card Data Compromise Ongoing Compliance, Protection, Education 20

21 PCI DSS Compliance Payment Card Industry Data Security Standard (PCI DSS) Developed and supported by the card associations to help protect cardholder data from being compromised Applies to all organizations, systems, networks and applications that process, store or transmit at least the cardholder number. Store no cardholder data beyond name, number, expiration date and service code All merchants are required to comply 21

22 PCI DSS Compliance Twelve high-level requirements designed to: Build and maintain a secure network (firewalls, vendor supplied defaults) Protect cardholder data (encrypted transmission across public networks) Maintain vulnerability management programs (anti-virus software, applications) Implement strong access control measures (access data on business need to know, unique user IDs for computer access, restrict physical access to cardholder data) Monitor access and test security systems & networks Ensure maintenance of information security policies 22

23 PCI DSS Compliance Merchant Levels: Merchant Level Merchant Level Merchant Level Merchant Level Any merchant processing 6 million Visa or MasterCard transactions/year, regardless of acceptance channel. Also, any merchant the card brands deem Level 1. Any merchant, regardless of acceptance channel, processing 1-6 million Visa or MasterCard transactions per year Any merchant processing 20,000 to 1 million e-commerce Visa or MasterCard transactions per year All other merchants, regardless of acceptance channel Level 4 merchants are also affected. Level 1 merchants have rigorous compliance requirements. 23

24 PCI DSS Compliance Merchant Validation Merchant Levels On-Site Assessment Self Assessment Questionnaire Network Vulnerability Scans Level * Report on Compliance (ROC)* Submitted Annually Not Applicable Required Quarterly Level * Not Applicable Submitted to Acquirer Annually* Required Quarterly Level Not Applicable Submitted to Acquirer Annually Required Quarterly Level Not Applicable Best Practice Annually Submitted at Acquirer s Discretion Required Quarterly Submitted at Acquirer s Discretion *Note: Due to MasterCard Site Data Protection (SDP) program rules, all level 1 and 2 merchants that elect to perform their own validation assessments must ensure that the primary internal auditor staff engaged in validating PCI DSS compliance attend merchant training programs offered by the PCI Security Standards Council (PCI SSC) and pass any PCI SSC associated accreditation program annually in order to continue validation in this manner. The training deadline is June 30,

25 PCI Assist & Breach Assistance

26 PCI Assist What is it? A set of online data security tools targeted to Level 4 merchants Helps merchants protect their businesses with best practices Provides step-by-step instructions for completing critical steps required for PCI compliance validation A service provided by Trustwave, the leading provider of PCI DSS compliance services Uses Trustkeeper compliance management software 26

27 PCI Assist Features Accessed through Trustwave s portal Includes self-assessment wizard that asks simple questions Completes the appropriate SAQ in the background Includes an external vulnerability scan for IP connected merchants Easy As 1-2-3/Simply Visit: 1. First, the tool will identify how you currently accept credit cards 2. Next, you will be asked to register in Trustwave Your Trustkeeper registration data helps to customize your experience based on your processing environment 3. Finally, you will be guided to the correct PCI Wizard for your specific business This includes accessing the appropriate Self-Assessment Questionnaire and identifying if vulnerability scanning is necessary Remember: Cardholder data security is a merchant s responsibility. Level 4 merchants must validate compliance annually. 27

28 Breach Assist What is it? Protection in a Compromise Situation: Hackers continue to find ways into the most vital data of companies large and small. Breach Assist helps protect your business from financial losses in four critical areas in the case of a suspected or actual data breach at your merchant location(s)*. Breach Assist programs can provide indemnification of up to $100,000 per merchant location **. * Assistance requires written notification or acknowledgement from the card associations of a suspected or actual data breach. Vantiv is not an insurance company and Breach Assist is not insurance. Breach Assist provides a contractual indemnity waiver for amounts merchant would otherwise be contractually obligated to reimburse/indemnify Vantiv and is subject to the terms and conditions of participation in the program. 28

29 Secure Encryption and Tokenization

30 Encryption and Tokenization P2PE and Tokenization are a powerful data protection combination. We will provide the latest in secure technology. Point-to-Point Encryption (P2PE) for data in motion Keeps cardholder data secure from inception to completion Reduces likelihood of thieves obtaining usable card information if system is compromised Reduces scope of the merchant s PCI compliance assessment. Tokenization for data at rest Replaces card numbers with a substitute value (token) Prevents the value from being used to originate fraudulent transactions Reduces risk associated with storing cardholder data 30

31 P2P Encryption and Tokenization How it Works Card data is encrypted at the point of capture. Personal Access Number, Track & Expiration Data encrypted in device. Encryption transferred from merchant s POS/Host to Vantiv/Processor We decrypt data and transmit to the networks. Authorization received, card token generated and sent back to merchant Merchant completes post-auth & back-office activities 31

32 Requirement 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. 32

33 Requirement 4: Encrypt transmission of cardholder data across open, public networks,.continued Keep in mind that the standard requires the encryption of cardholder data over open, public networks. The connection between the keyboard and PC doesn t qualify. Encrypted keyboards and keypads can be used as an added layer of protection but it is not a requirement as the connection does not qualify as an open, public network. 33

34 Can you reduce the scope of your PCI Compliance AND reduce the cost of card acceptance?

35 FREE SAVINGS ANALYSIS & QUESTIONS Interested in a FREE interchange qualification analysis for attending today s presentation? or fax a copy of your company s recent monthly merchant services statement(s) to: Matt Fluegge (fax) (phone) THANK YOU!! 35

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate. MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

ICCCFO Conference, Fall 2011. Payment Fraud Mitigation: Securing Your Future

ICCCFO Conference, Fall 2011. Payment Fraud Mitigation: Securing Your Future ICCCFO Conference, Fall 2011 Payment Fraud Mitigation: Securing Your Future Presented by: Brian Irwin, CTP Vice President Fifth Third Bank Commercial Treasury Management And Claire Dittrich Executive Consultant-

More information

SecurityMetrics Introduction to PCI Compliance

SecurityMetrics Introduction to PCI Compliance SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as

More information

What You Need to Know About PCI SSC. 2014 Guiding open standards for global payment card security

What You Need to Know About PCI SSC. 2014 Guiding open standards for global payment card security What You Need to Know About PCI SSC 2014 About the PCI Council Founded in 2006 - Guiding open standards for payment card security Development Management Education Awareness Expanding Global Representation

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

PAI Secure Program Guide

PAI Secure Program Guide PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you

More information

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standards. Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

Your Compliance Classification Level and What it Means

Your Compliance Classification Level and What it Means General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe

More information

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment

More information

PCI Compliance for Healthcare

PCI Compliance for Healthcare PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?

More information

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance: How to ensure customer cardholder data is handled with care PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

PCI DSS Compliance. 2015 Information Pack for Merchants

PCI DSS Compliance. 2015 Information Pack for Merchants PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends

More information

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

Version 7.4 & higher is Critical for all Customers Processing Credit Cards! Version 7.4 & higher is Critical for all Customers Processing Credit Cards! Data Pro Accounting Software has met the latest credit card processing requirements with its release of Version 7.4 due to the

More information

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008 Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities

More information

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009 AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011) Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards Westpac Merchant A guide to meeting the new Payment Card Industry Security Standards Contents Introduction 01 What is PCIDSS? 02 Why does it concern you? 02 What benefits will you receive from PCIDSS?

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

PCI Compliance: Protection Against Data Breaches

PCI Compliance: Protection Against Data Breaches Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)

More information

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards

More information

SecurityMetrics. PCI Starter Kit

SecurityMetrics. PCI Starter Kit SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service

More information

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended

More information

What a Processor Needs from a University to Validate Compliance

What a Processor Needs from a University to Validate Compliance What a Processor Needs from a University to Validate Compliance Lisa T. Conroy Merchant Compliance Manager Vantiv May 24, 2016 Disclosures The information included in this presentation is for information

More information

$22k. Payment Card Data Breaches: What You Need to Know About Your Risk and Liability. First Data Market Insight

$22k. Payment Card Data Breaches: What You Need to Know About Your Risk and Liability. First Data Market Insight Need to Know About Your Risk and Liability Many small merchants are surprised to learn that they can be held liable for tens of thousands of dollars in fines and other expenses when a card data breach

More information

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

PCI DSS Compliance White Paper

PCI DSS Compliance White Paper PCI DSS Compliance White Paper 2012 Edition Copyright 2012, NetClarity, Inc. All rights reserved worldwide. Patents issued and pending. PCI DSS Compliance White Paper NetClarity, Inc. Page 1 Welcome to

More information

PCI Security Compliance

PCI Security Compliance E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment

More information

PCI Security Standards Council

PCI Security Standards Council PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI

More information

Credit Card Processing, Point of Sale, ecommerce

Credit Card Processing, Point of Sale, ecommerce Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits

More information

Introduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.

Introduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m. Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of

More information

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00 PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)

More information

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level. Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain

More information

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines? Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

PCI Risks and Compliance Considerations

PCI Risks and Compliance Considerations PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction

More information

Recent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2

Recent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2 Recent Developments in PCI DSS PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2 1 2009 Breach Investigation Who did it? 74% external parties 20% insiders 32% implicated business partners

More information

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

More information

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry

More information

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

Simplêfy Client Support and Information Services. PCI Compliance Guidebook Simplêfy Client Support and Information Services PCI Compliance Guidebook Simplêfy, Inc. 301 Science Drive, Suite 280 Moorpark, CA 93021 Phone 888.341.2999 Fax 877.280.0885 Simplêfy is a Registered Trademark

More information

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk

More information

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security

More information

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS) Postbank P.O.S. Transact GmbH (now EVO Kartenakzeptanz GmbH) has recently been purchased by EVO Payments International Group Program implementation details for merchants Payment Card Industry Data Security

More information

An article on PCI Compliance for the Not-For-Profit Sector

An article on PCI Compliance for the Not-For-Profit Sector Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector

More information

PCI DSS. CollectorSolutions, Incorporated

PCI DSS. CollectorSolutions, Incorporated PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted

More information

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information

More information

Securing Your Customer Data Simple Steps, Tips, and Resources

Securing Your Customer Data Simple Steps, Tips, and Resources Securing Your Customer Data This document is intended to provide simple and quick information security steps for small to mid-size merchants that accept credit and/or debit cards as a form of payment for

More information

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Bendigo and Adelaide Bank Ltd Security Incident Response Procedure Table of Contents 1 Introduction...1 2 Incident Definition...2 3 Incident Classification...2 4 How to Respond to a Security Incident...4

More information

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc. PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must

More information

PCI Standards: A Banking Perspective

PCI Standards: A Banking Perspective Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

npc npc NPC PCI Program Protecting Your Business from Card Data Breaches

npc npc NPC PCI Program Protecting Your Business from Card Data Breaches npc A Vantiv Company npc A Vantiv Company NPC PCI Program Protecting Your Business from Card Data Breaches For more information about the NPC PCI Program, please contact our dedicated PCI Specialty Team

More information

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh Protecting Your Customers' Card Data Presented By: Oliver Pinson-Roxburgh Agenda Trustwave Overview PCI Scope Compromise Statistics PCI Makes Business Sense Registration Process TrustKeeper Features Support

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity

White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com. PCI DSS Compliance Clarity Out of Complexity White Paper September 2013 By Peer1 and CompliancePoint www.peer1.com PCI DSS Compliance Clarity Out of Complexity Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning

More information

PCI DSS Presentation University of Cincinnati

PCI DSS Presentation University of Cincinnati PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI

More information

Account Information Security. Merchant Guide

Account Information Security. Merchant Guide Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer

More information

White Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance

White Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance White Paper Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Executive Overview

More information

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013 Encryption and Tokenization: Protecting Customer Data Your Payments Universally Amplified Tia D. Ilori Sue Zloth September 18, 2013 Agenda Global Threat Landscape Real Cost of a Data Breach Evolution of

More information

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

PCI DSS and SSC what are these?

PCI DSS and SSC what are these? PCI DSS and SSC what are these? What does PCI DSS mean? PCI DSS is the English acronym for Payment Card Industry Data Security Standard. What is the PCI DSS programme? The bank card data, which are the

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda 2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR

More information

La règlementation VisaCard, MasterCard PCI-DSS

La règlementation VisaCard, MasterCard PCI-DSS La règlementation VisaCard, MasterCard PCI-DSS Conférence CLUSIF "LES RSSI FACE À L ÉVOLUTION DE LA RÉGLEMENTATION" 7 novembre 07 Serge Saghroune Overview of PCI DSS Payment Card Industry Data Security

More information

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 1. Procedure Title: PCI Compliance Program COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6 2. Procedure Purpose and Effect: All Colorado State University departments that accept credit/debit

More information

PCI DSS Compliance Services January 2016

PCI DSS Compliance Services January 2016 PCI DSS Compliance Services January 2016 20160104-Galitt-PCI DSS Compliance Services.pptx Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 2 Introduction

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?

More information

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the

More information

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page

More information

Is the PCI Data Security Standard Enough?

Is the PCI Data Security Standard Enough? Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard

More information

Five PCI Security Deficiencies of Restaurants

Five PCI Security Deficiencies of Restaurants Whitepaper The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus- Senior Security Architect, Vendor Safe 2011 7324 Southwest Freeway, Suite 1700, Houston, TX 77074

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information