The PCI Security Standards Council. Bob Russo, General Manager January 30, 2009
|
|
- Ruby George
- 8 years ago
- Views:
Transcription
1 The PCI Security Standards Council Bob Russo, General Manager January 30, 2009
2 PCI SSC - The Standards 2
3 The PCI Security Standards Council Founders 3
4 Organizational Structure 4
5 PCI DSS Drivers Advisory Board Industry Best Practices Community Meeting Proactive feedback from POs and Assessor Community PCI Data Security Standard Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) ADC Forensics Results Security Scans On-Site Audits Self- Assessment Questionnaire 5
6 Notable Successes Assessor Servicing Markets per Region Asia Pacific: 29 Canada: 16 CEMEA: 28 Latin America & Caribbean: 27 United States: 87 Europe: 57 Over 500 Participating Organizations around the world Successful Community Meetings with over 700 attendees from around the world Board of Advisors driving special interest groups -Wireless - Pre-authorization 164 current QSA Companies, of these 74 are also ASV Companies Total QSAs (individuals) trained to date is 1,063 Additional devices added to PED Standard Implemented two-year lifecycle process for DSS & SAQ PCI SSC participated in 33 events worldwide 6
7 Roles and Responsibilities of the Council PCI SSC. Is an Independent Industry Standard Manages the technical and business requirements for how payment data should be stored and protected Maintains List of Qualified PCI Assessor Community QSAs, ASVs, PA-QSA and PED Labs PCI SSC Does Not Manage or Drive Compliance Each brand continues to maintain its own compliance programs Identifies stakeholders that need to validate compliance Definitions of Validation Levels Fines and Fees 7
8 Resources Provided by Council Security standards and supporting documents Frequently asked questions List of approved QSAs, ASVs, PA-QSAs, PED Labs Education and outreach programs - Webinars - Newsletters/bulletins Council appeared in almost 300 pieces of coverage globally since January Searchable FAQ tool for all standards-related questions Participating organization membership, community meetings, qualifications standards feedback One global voice for the industry 8
9 A Phased Approach to Standard Updates Revised PCI Standard Revisions for Consideration Community Meeting Input from Participating Organizations, QSAs and ASVs Phase 1 Phase 2 Phase 3 PHASED APPROACH 9
10 PCI SSC Standards
11 Threat Landscape Implementing the standard is a Journey Not a Destination Risky Behavior 81% store payment card numbers 73% store payment card expiration dates 53% store customer data from magnetic stripe on card 16% store other personal data Source: Forrester Consulting, Sept
12 The Cost of Complying Three Categories of Compliance Upgrading Payments Systems and Security Verifying Compliance (Assessment) Sustaining Compliance How much does this cost your organization? For merchants with complex or older systems, it may cost millions The Cost of Not Complying Same study estimated non-compliance costs significantly higher, including Crisis cost upgrades Repeat assessments Notification costs Brand reputation Shareholder and consumer lawsuits The cost of a breach can easily be 20 times the cost of PCI Compliance PCI Compliance Cost Analysis: A Justified Expense. A joint analysis conducted by Solidcore Systems, Emagined Security and Fortrex. Jan [This study utilized data from several sources including level 1 and level 2 merchants with 2,000 2,500 retail locations.] 12
13 Inside Jobs vs. Intrusions 17% Inside ~77% are partial insiders Incident Detection >75% via allegation of compromise Findings Percentages 92% Confirmed Security Breach >60% Confirmed Data Compromise Law Enforcement Involvement 87% of cases Incident Detection >75% via allegation of compromise > 60% Payment Cards vs. Others Consumer data: Payment card information -Credit / Debit -Card-present / CNP Personal Check information Identity-related data: Name, address, Social security, Social insurance IRS / tax return information Company-proprietary: Financial records HR / employee data Product strategy & roadmap Trade secrets & technology Forensics Statistics Breach Sources ~13% Inside U.S. Case Commonalities 19% SQL injection 45% POS systems 10% Wireless infrastructure ~50% Via 3rd party connections Vulnerability Scanning SQL Injection cases: 71% had commercial scanning 63% detected SQL vulnerability 15% in scan reports for 1 year + 13
14 Top PCI DSS Violations Requirement 1: Install and maintain a firewall to protect cardholder data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor access to network and card data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses information security Violations >50% Found During Forensic Investigations Violations <50% Found During Forensic Investigations Violations Found During Initial PCI DSS Audits 14
15 The Five Stages of Grief Denial Anger Bargaining Depression 15 It doesn t apply to me PCI compliance is mandatory It isn t fair PCI applies to all parties in the payment process I ll do some of it Compliance is pass / fail I ll never get there Many merchants already have Acceptance It ll be OK PCI doesn t introduce any new, alien concepts 15
16 The PCI Data Security Standard Payment Card Industry (PCI) Data Security Standard Version 1.2 Release: October 2008 The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures This comprehensive standard is intended to help organizations proactively protect customer payment data 16
17 The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-toknow 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors 18
18 Consolidate PCI DSS documents PCI DSS Security Assessment Procedures Consistent use of terms throughout System components, cardholder data environment, cardholder data Enhance required introductory content for Report on Compliance Clarify use and review of compensating controls in Appendices B and C Add Attestation of Compliance forms Replace current payment brand forms Add flowchart for scoping and sampling Summary of General Changes 18
19 Build and Maintain a Secure Network Summary of General Changes (cont.) Requirement 1: Install and maintain a firewall configuration to protect cardholder data Clarified requirement to illustrate that all sub-requirements apply to both routers and firewalls Combined requirements and sub-requirements to clarify requirement 1 Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization s risk management policies 19
20 Build and Maintain a Secure Network Summary of General Changes (cont.) Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Clarified that the requirement applies to wireless environments attached to cardholder environment or transmitting cardholder data Removed references to WEP in order to emphasize using strong encryption technologies for wireless networks, for both authentication and encryption Removed requirement to disable SSID broadcast since disabling SSID broadcast does not prevent a malicious user from determining the SSID, as the SSID is broadcast over numerous other messaging/communication channels 20
21 Summary of General Changes (cont.) Protect Cardholder Data Requirement 3: Protect stored cardholder data Emphasized use of consistent terms throughout, such as PAN and strong cryptography Clarified requirement for disk encryption to emphasize local user account databases Requirement 4: Encrypt transmission of cardholder data across open, public networks Wireless must now be implemented according to industry best practices (e.g., IEEE i) using strong encryption for authentication and transmission New implementations of WEP are not allowed after March 31, 2009 Current implementations must discontinue use of WEP after June 30,
22 Summary of General Changes (cont.) Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Clarified that requirement for use of anti-virus software applies to all operating system types Clarified that anti-virus software must address all known types of malicious software Requirement 6: Develop and maintain secure systems and applications Added flexibility to the patching requirement by specifying that a riskbased approach may be used to prioritize patch installation Requirement 6.6 is now mandatory. All public-facing Web applications are subject to either 1) reviews of applications via manual or automated vulnerability assessment tools or methods, or 2) installing an application-layer firewall in front of public-facing Web applications 22
23 Summary of General Changes (cont.) Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Clarified language around testing procedures Requirement 8: Assign a unique ID to each person with computer access Clarified that testing procedures must verify that passwords are unreadable in storage and transmission Clarified user authentication by allowing both passwords and passphrases, and by combining previous bullets under two-factor authentication and providing examples 23
24 Summary of General Changes (cont.) Implement Strong Access Control Measures Requirement 9: Restrict physical access to cardholder data Specified that offsite storage locations must be visited at least annually Provided flexibility in the requirement for cameras to allow organizations to select other appropriate access control mechanisms Clarified that the requirement to secure media applies to electronic and paper media that contains cardholder data Clarified destruction requirements for media containing cardholder data 24
25 Summary of General Changes (cont.) Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Clarified that logs for external facing technologies (for example, for wireless, firewalls, DNS and mail) must be copied to an internal log server Provided flexibility and clarified that three months of audit trail history must be immediately available for analysis or quickly accessible (online, archived or restorable from backup) 25
26 Summary of General Changes (cont.) Regularly Monitor and Test Networks Requirement 11: Regularly test security systems and processes Provided more guidance on use of wireless analyzers and/or wireless intrusion detection or prevention systems Outlined that ASVs must be used for quarterly external vulnerability scans Specified that both internal and external penetration tests are required and clarified that it is not required to use a QSA or ASV for penetration tests 26
27 Summary of General Changes (cont.) Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors Expanded list of examples of critical employee-facing technologies to include remote access technologies, wireless technologies, removable electronic media, usage, Internet usage, laptops, and Personal Data Assistants (PDAs) Updated timeframe that requires employees to acknowledge that they have read and understood the company s security policy and procedures to at least annually Updated former contract and connected entities language to clarify that organizations must have policies and processes implemented to manage and monitor service providers. 27
28 PCI DSS Lifecycle Process 28
29 SAQ Objectives Self Assessment Questionnaires Self-Assessment Questionnaire (SAQ) A Alignment with the PCI DSS v1.2 Based on industry feedback Flexibility for multiple merchant types Providing guidance for the intent and applicability of the underlying requirements 29
30 Self Assessment Questionnaire SAQ Validation Type 1 Description Card-Not-Present (e-commerce or MO/TO) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants SAQ A <11 Questions 2 Imprint-only merchants with no cardholder data storage B 21 Questions 3 Stand alone dial-up terminal merchants, no cardholder data storage B 21 Questions 4 Merchants with payment application systems connected to the Internet, no cardholder data storage C 38 Questions 5 All other merchants (not included in descriptions for SAQs A, B or C above) and all service providers defined by a payment brand as eligible to complete an SAQ D Full DSS 30
31 The Payment Application Data Security Standard Payment Application (PA-DSS) Data Security Standard Distinct from but aligned with PCI DSS PA-DSS is a comprehensive set of requirements designed for payment application software vendors to facilitate their customers PCI DSS compliance This comprehensive standard is intended to help organizations minimize the potential for security breaches due to flawed payment applications, leading to compromise of full magnetic stripe data 31
32 The Payment Application Data Security Standard Fourteen Requirements Protecting Payment Application Transactions Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2) or PIN block data Provide secure password features Protect stored cardholder data Log Application Activity Develop Secure Applications Protect wireless transmissions Test Applications to address vulnerabilities Facilitate secure network implementation Cardholder data must never be stored on a server connected to the Internet Facilitate secure remote software updates Facilitate secure remote access to application Encrypt sensitive traffic over public networks Encrypt all non-console administrative access Maintain instructional documentation and training programs for customers, resellers, and integrators 32
33 PIN Entry Device Requirements Physical Attributes Attributes that deter physical Attacks ex penetration of device to determine key(s) Planting a PIN disclosing bug within Logical Attributes Logical security characteristics include functional capabilities that preclude: Allowing device to output clear text PIN encryption key The PED Security Requirements are designed to secure personal identification number (PIN)-based transactions globally and applies to devices (attended or unattended) that accept PIN entry for all PIN-based transactions as well as non-cardholder interface devices (hardware security modules) 33
34 PIN Entry Device Requirements Device Types Under PED Traditional Devices include Point-of-sale PED Designed for Secure PIN Entry Attended devices (e.g., sales clerk, cashier) New Devices scheduled for 2008 include Unattended Payment Terminals (UPTs) Fuel Pumps, Kiosks, Ticketing Machines Hardware (or Host) Security Modules (HSMs) Non-cardholder interface Embedded devices that are used for PIN translation, Card Personalization, Data Protection, Electronic Commerce 34
35 PCI DSS Applicability Information Data Element Storage Permitted Protection Required PCI DSS Req. 3.4 Primary Account Number (PAN) Yes Yes Yes Cardholder Data Sensitive Authentication Data [2] Cardholder Name [1] Yes Yes 1 No Service Code 1 Yes Yes 1 No Expiration Date 1 Yes Yes 1 No Full Magnetic Stripe Data [3] No N/A N/A CAV2/CVC2/CVV2/CID No N/A N/A PIN/PIN Block No N/A N/A [1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted. [2] Sensitive authentication data must not be stored after authorization (even if encrypted). [3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.
36 PCI SSC Community Meetings
37 Community Meeting Merchants Acquirers Approved Scanning Vendors Qualified Security Assessors Community Meeting Service Providers Brands 37
38 Community Meeting Two Meetings. Responsive to industry. Orlando, Fla., Sept Offered vendor showcase opportunity Brussels, Belgium, Oct Program in conjunction with PCI Europe Your Opportunity to get involved in setting the global PCI standards Not yet a Participating Organization? Join us at 38
39 How To Get Involved
40 Global Participation & Representation More than 500 organizations have been accepted North America: 411 Asia Pacific: 12 Europe: 78 Latin America / Caribbean: 6 Central Europe / Middle East / Africa: 14 40
41 Board Representation & Special Interest Groups A Seat at the Table Financial institutions Merchants Gateways Processors Service providers EFT networks Associations Vendors 41
42 Participating Organization Privileges Vote and run for Participating Organization Board of Advisors Comment on DSS, SAQ, PED, PA-DSS and on other PCI SSC documentation, prior to public release Attend Community Meetings Attend Webinar meetings Recommend new initiatives and standards Early updates on upcoming press releases Monthly bulletin from SSC General Manager Coming soon: Exclusive private Web site for PO and assessor community Reserve Your Seat at the Table 42
43 Board of Advisors Financial Institutions Bank of America JP Morgan Chase and Co. Citibank N.A., Global Consumer Group Commonwealth Bank of Australia The Royal Bank of Scotland Processors Chase Paymentech Solutions First Data Corporation Interac Association Moneris Solutions Corporation SERVICIOS ELECTRONICOS GLOBALES S.A. DE C.V. TSYS Acquiring Solutions Merchants British Airways, plc Exxon Mobil Corporation McDonalds Corporation Microsoft Tesco Stores Ltd. Wal-Mart Stores, Inc. Associations & Vendors APACS EPC PayPal, Inc. VeriFone, Inc. 43
44 Roles and Responsibilities Provide feedback Set strategy Emerging security issues Additional standards Evolving the current standard(s) Set agenda/programs for Community Meetings Time commitments Face-to-face meetings (as needed) Conference calls (regularly scheduled) SME, panelists, moderator (Community Meetings/Webinars) Regional and business category market feedback Ad hoc working groups 44
45 Board of Advisors (Working Groups) PA DSS Task Force Develop Best Practices into to Industry Standards Evolution of testing criteria in the applications Driving Marketplace adoption Members Include: Paypal Verifone Moneris JP Morgan Chase Community Meeting Agenda Task Force Restructure Agenda Define clear business models to use going forward Members Include: Paypal TSYS Acquiring Solutions Microsoft RBS Outreach and Education Task Force Identify additional marketing and educational needs, based on industry size, region, etc. Members Include: Walmart Stores Inc. APACS British Airways First Data Corporation 45
46 Participating Organizations Financial Associations Other POS Processors Merchants Vendors Institutions For a full list: For a full list: 46
47 Need More Information? 47
48 Thank You!
The PCI Security Standards Council
The PCI Security Standards Council 9/12/2008 The PCI Security Standards Council An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI
More informationTroy Leach May 6, 2009
The PCI Security Standards Council Troy Leach May 6, 2009 About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness * 2 PCI Standards
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationPCI DSS Compliance White Paper
PCI DSS Compliance White Paper 2012 Edition Copyright 2012, NetClarity, Inc. All rights reserved worldwide. Patents issued and pending. PCI DSS Compliance White Paper NetClarity, Inc. Page 1 Welcome to
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
More informationPCI Quick Reference Guide
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPCI Quick Reference Guide
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationA MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
More informationPCI Compliance : What does this mean for the Australian Market Place? Nov 2007
Sense of Security Pty Ltd (ABN 14 098 237 908) 306, 66 King St Sydney NSW 2000 Australia Tel: +61 (0)2 9290 4444 Fax: +61 (0)2 9290 4455 info@senseofsecurity.com.au PCI Compliance : What does this mean
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationIntroduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.
Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0 February
More informationPayment Card Industry Compliance Overview
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals Electronic Cardholder
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage
More informationSymposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationRecent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2
Recent Developments in PCI DSS PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2 1 2009 Breach Investigation Who did it? 74% external parties 20% insiders 32% implicated business partners
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationThe PCI Security Standards Council. Jeremy King European Director
The PCI Security Standards Council Jeremy King European Director Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationWhite Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance
White Paper Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Executive Overview
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationPLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01
PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01 Information updated: 21 October 2012 SAFEGUARDING CARDHOLDER
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)
PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance
More informationInformation Technology
Credit Card Handling Security Standards Overview Information Technology This document is intended to provide guidance to merchants (colleges, departments, organizations or individuals) regarding the processing
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationPayment Application Data Security Standard
Payment Card Industry (PCI) Payment Application Data Security Standard ROV Reporting Instructions for PA-DSS v2.0 March 2012 Changes Date March 2012 Version Description Pages 1.0 To introduce PA-DSS ROV
More informationPCI DSS Quick Reference Guide
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 2.0 For merchants and entities that store, process or transmit cardholder data Contents Copyright 2010
More informationPCI DSS Gap Analysis Briefing
PCI DSS Gap Analysis Briefing The University of Chicago October 1, 2012 Walter Conway, QSA 403 Labs, LLC Agenda The PCI DSS ecosystem - Key players, roles - Cardholder data - Merchant levels and SAQs UofC
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More informationUnderstanding and Managing PCI DSS
Understanding and Managing PCI DSS PCI DSS in Context Some History Key Players Validating Compliance Cardholder Data 2! 5 Stages of PCI Grief Denial: It doesn t apply to me PCI compliance is mandatory
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationCredit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More informationSafe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015
Safe and Sound Processing Telephone Payments Securely A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015 Executive summary The following information and guidance
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationPayment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire C-VT Version 2.0 October 2010 Attestation of Compliance, SAQ C-VT Instructions for Submission
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationStandard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011. Information Supplement: Protecting Telephone-based Payment Card Data
Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March 2011 Information Supplement: Protecting Telephone-based Payment Card Data Table of Contents Executive Summary 3 Clarification of
More informationRetour d'expérience PCI DSS
Retour d'expérience PCI DSS Frédéric Charpentier OSSIR : Retour d'expérience PCI DSS - 1 XMCO PARTNERS : Who are we? Xmco Partners is a consulting company specialized in IT security and advisory Xmco Partners
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More information2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
More informationThe PCI Security Standards Council. Bob Russo June 2011
The PCI Security Standards Council Bob Russo June 2011 What are the threats to card data? How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure?
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C-VT and Attestation of Compliance Merchants with Web-Based Virtual Payment Terminals No Electronic Cardholder Data Storage
More informationUnderstanding Payment Card Industry (PCI) Data Security
Understanding Payment Card Industry (PCI) Data Security Office of the State Controller November 2010 State of North Carolina The Enemy Major Security Breaches TJ-Max Heartland Hannaford Foods BJ s Wholesale
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationProperty of CampusGuard. Compliance With The PCI DSS
Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More information