PCI Security Standards Council

Transcription

1 PCI Security Standards Council Bob Russo, General Manager 2013

2 Why PCI Matters Applying PCI How You Can Participate Agenda

3 About the PCI Council Open, global forum Founded 2006 Guiding open standards for payment card security Development Management Education Awareness

4 Business Sectors With the Most Breaches Systems that store, process or transmit cardholder data remain primary targets for criminals Retail 45% Food & Beverage 24% Hospitality 9% Other 8% Financial Services 7% Nonprofit 3% Health & Beauty 2% High Technology 2% Source: Trustwave 2013 Global Security Report

5 Top Mistakes By Those Breached Revealed by Forensic Audits Weak Passwords Lack of employee education Security deficiencies introduced by third parties responsible for system support, development and/or maintenance Slow self-detection Source: Trustwave 2013 Global Security Report

6 PCI Standards Help Secure Your Data 92% of compromises were simple 97% were avoidable through simple or intermediate controls 92% 97% Source: Verizon 2012 Data Breach Investigations Report

7 PCI Security Standards Suite Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

8 Getting Ready for PCI Focus: Updating PCI Standards and supporting documents based on Community feedback

9 PTS POI 4.0 May 2013 Key Changes Security policy Device implementation documentation Restructure open protocols module Enhanced interface testing Added source code reviews Open source code reviews

10 Card Production Requirements May 2013 Physical Personnel Vendor Premises Production Procedures and Audit Trails Product Storage and Shipping Procedures 10

11 Card Production Requirements Logical Typical Vendor Network Private Network (Leased lines) Vendor Controlled Issuer/ Data Source Internet Internet Facing Network Data Processing Network Perso Network POTS 11

12 Why PCI Matters Applying PCI How You Can Participate Applying PCI

13 Applying PCI in Your Environment Mobile P2PE Virtualization ATM Tokenization Cloud EMV

14 EMV Chip Helps Reduce Face-to-Face Fraud EMV chip by itself does not protect the confidentiality of, or inappropriate access to sensitive authentication data and/or cardholder data in card-not-present or Internet transactions

15 Even EMV Chip Security Needs PCI

16 Understanding Mobile Payments Making Payments Accepting Payments Applications

17 PCI on Mobile Payment Acceptance Security Identified mobile applications that can be validated to PA-DSS Published merchant guidance for mobile solutions leveraging P2PE Developed best practices for developers New merchant guidelines

18 Areas of Focus for Mobile MOBILE Devices Tamper-responsive, PTS Devices (e.g. SCR) using P2PE Applications Requirements and/or Best Practices for authorization and settlement Service Providers Service provider protection of cardholder data and validation

19 Guidance on Mobile Payment Acceptance Security

20 New Merchant Guidelines For Merchants as End-Users Objectives and guidance for the security of a payment transaction Guidelines for securing the mobile device Guidelines for securing the payment acceptance solution

21 Point-to-Point Encryption Point-to-Point Encryption Available to all members of the payment chain Also called P2PE Optional standard for decreasing scope PCI 2PE hardware /hardware requirements available PCI P2PE Hybrid requirements available

22 Tokenization Work on tokenization standards has begun PAN Ensure that process of creating token from PAN doesn t leak information about PAN Ensure that a token or collection of tokens by themselves cannot feasibly allow discovery of PAN Ensure that adequate controls exist over detokenization process T Token Ensure that token cannot be used in lieu of PAN for impermissible purposes

23 ATM Security Best Practices ATM Best Practices for development, deployment and management of ATMs Target Audience ATM manufacturers Integrators Deployers of ATMs

24 Special Interest Group (SIG) Guidance E-commerce Security Risk Assessment Cloud Computing Awareness of specific risks and considerations Guidance on how to determine what these might mean for your particular environment Recommendations and best practices for PCI DSS Go to our website today to download these new guidelines!

25 The Formula for Payment Security Success People + Processes + Technology = Security

26 Why PCI Matters Applying PCI How You Can Participate How You Can Participate

27 2013 Training Highlights Online Internal Security Assessor (ISA) Training P2PE Assessor Training Corporate PCI Awareness Let Us Come To You! Online Awareness Training in Four Hours Qualified Integrators and Resellers (QIR) Program PCI Professional Program (PCIP) To learn more, visit: training/index.php

28 Qualified Integrators & Resellers Program Addresses common merchant misconceptions: I m using a PA-DSS validated application, so I must be OK. I m using a reputable 3 rd party, so they must be doing a secure installation. This applies only to brick and mortar establishments.

29 Payment Card Industry Professional (PCIP) Support your organization Professional credibility Competitive advantage Global directory Now Available

30 Internal Security Assessor (ISA) Program A comprehensive PCI DSS training and qualification program for eligible internal audit security professionals that you asked for! Improves your understanding of PCI DSS and compliance procedures Helps your organization build internal expertise Teaches processes that can reduce the cost of compliance

31 Be Involved Contribute Your Expertise! Chief Security Officers IT Managers Information Security Professionals Risk Managers Compliance Officers Join! Become a Participating Organization today Chief Information Officers Forensic Investigators Legal Experts Technologists Data Security Experts

32 Help Participate in Standards Development Implementation Feedback Formal Feedback Draft Revisions Feedback

33 2013 Special Interest Groups- Join us! Best Practices for Maintaining PCI Compliance Third Party Security Assurance Visit PCI SSC website to sign up

34

35 Get Involved We Need Your Input Join Learn Input Network Nominate Vote Share Influence

36 Security Compliance vs. Compliance Doesn t Equal Security

37 Questions? Please visit our website at