PCI Data Security Standard Overview and observations from the field. Andrea Del Miglio Practice Manager 28 March 2007
|
|
- Jean Adams
- 8 years ago
- Views:
Transcription
1 PCI Data Security Standard Overview and observations from the field Andrea Del Miglio Practice Manager 28 March 2007
2 Sample Agenda Slide 1 PCI background information 2 PCI Data Security Standard Top reasons for non compliance 4 Strategies for achieving compliance 5 Symantec PCI services Andrea Del Miglio Symantec Corporation PCI Data Security Standard 2
3 PCI Background Information Andrea Del Miglio Symantec Corporation PCI Data Security Standard 3
4 Payment Card Security Programs: Why? Credit card fraud occurrences have been increasing over the years and the problem is not going away Cardholders need assurances that their purchases will be secure Credit card companies do not control credit card payment transactions from end to end Credit card companies need to protect their brands Credit card companies need some mechanism to share the liability for cardholder data security Andrea Del Miglio Symantec Corporation PCI Data Security Standard 4
5 Prior Payment Card Security Programs Individual programs existed prior to the PCI standard Visa: Cardholder Information Security Program (CISP) MasterCard: Site Data Protection Program (SDP) American Express What s wrong with this picture? Companies have to follow more than one process to achieve the same end goal Redundancies between programs Different lists of qualified assessors may require companies to contract with more than one independent assessor to complete all the audits Discrepancies between the different security standards Andrea Del Miglio Symantec Corporation PCI Data Security Standard 5
6 The PCI Data Security Standard PCI Data Security Standard (DSS) was created in December 2004 to create a single security standard Visa managed the DSS and auditing procedures/process MasterCard ran the scanning procedures/process September 2006 the PCI Security Standards Council was created Founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International Took ownership of the PCI DSS and scanning procedures Took ownership of the Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) program Certifying companies to perform audits Certifying companies to perform security scanning Released new PCI DSS v1.1 impacting all future compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 6
7 The Intent of the PCI DSS Protect cardholder data 1 2 Primary Account Number (PAN) Expiration date Storage, transmission, and display of this data Strictly control payment card track data Raw data extracted from the magnetic 3 strip Track data can be used to duplicate payment cards Track data should never really need to be stored Keep payment card authentication data secure 4 CVV2: Card Verification Value 2 (Visa) CVC2: Card Verification Code (MasterCard) Reduce the overall risk of potential cardholder data compromise Andrea Del Miglio Symantec Corporation PCI Data Security Standard 7
8 Payment Card Transaction Examples: Typical Visa Transaction Merchant Authorization Request Processor Acquirer (Merchant Bank) Authorization Response VisaNet Cardholder Issuer Processor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 8
9 Payment Card Transaction Example: Typical Visa E-commerce Transaction Payment Gateway Processor E-Commerce Merchant Authorization Request Acquirer (Merchant Bank) INTERNET Authorization Response VisaNet Cardholder Issuer Processor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 9
10 Who needs to be compliant? All organizations that handle credit card transactions must be PCI compliant Affects: Merchants: typically accept credit cards directly from customers as a form of payment Service Providers: typically process credit card transactions on behalf of merchants Payment card issuers and transaction acquirers with direct connection to Visa or MasterCard s processing network Sliding scale for compliance requirements Based on volume of credit cards processed annually Merchants: Levels 1-4 Service Providers: Levels 1-3 The higher the transaction volume or the more risky the transactions the more rigorous the compliance requirements become Andrea Del Miglio Symantec Corporation PCI Data Security Standard 10
11 Merchant Requirements Qualifications Requirements Completed By Level 1 > 6 million transactions annually regardless of channel Has suffered an attack resulting in cardholder data compromise Annual On-Site Audit Quarterly Network Scan QSA or internal auditor if signed by officer of the company Qualified Independent Scan Vendor Others at Visa/MC discretion Level 2 1 million to 6 million Visa transactions Annual Self-Assessment Merchant annually Quarterly Network Scan Qualified Independent Scan Vendor Level 3 20,000 to 1 million e-commerce transactions annually Annual Self-Assessment Quarterly Network Scan Merchant Qualified Independent Scan Vendor Level 4 Fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year Annual Self-Assessment Quarterly Network Scan Merchant Qualified Independent Scan Vendor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 11
12 Service Provider Requirements Qualifications (applies to either card) Requirements Validated By Level 1 All VisaNet processors (member and non-member) All payment gateways Annual On-Site Audit Quarterly Network Scan QSA Qualified Independent Scan Vendor Level 2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually. Annual On-Site Audit Quarterly Network Scan Service Provider Qualified Independent Scan Vendor Level 3 Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually. Annual Self-Assessment Quarterly Network Scan Service Provider Qualified Independent Scan Vendor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 12
13 Annual PCI Self-Assessment Questionnaire Required for Level 2 and 3 merchants Required for Level 3 service providers Captures Organization information Business description All third-party providers POS hardware/software used Consists of 6 sections 75 individual questions Must answer all questions Yes: compliant with requirement No: non-compliant with requirement N/A: brief written explanation is required Andrea Del Miglio Symantec Corporation PCI Data Security Standard 13
14 PCI Assessment Process: Level 1 Merchants QDSC completes an onsite PCI assessment QDSC creates Report on Compliance Includes results of quarterly scanning Includes in-place/not in-place results for all 204 individual requirements QDSC provides ROC to merchant Merchant provides ROC to upstream service provider or acquirer Quarterly Scanning Results Merchant Contracts QDSC QDSC Performs Onsite Audit Compliance Decision QDSC Generates ROC Report on Compliance QDSC Provides ROC to Merchant Merchant Provides ROC to Service Provider Andrea Del Miglio Symantec Corporation PCI Data Security Standard 14
15 PCI Assessment Process: Level 1&2 Service Providers QDSC completes an onsite PCI assessment QDSC creates Report on Compliance Includes results of quarterly scanning Includes in-place/not in-place results for all 204 individual requirements QDSC is required to complete a service provider compliance status form QDSC provides both directly to Visa USA Quarterly Scanning Results Service Provider Contracts QDSC QDSC Performs Onsite Audit Compliance Decision QDSC Generates ROC QDSC Completes Compliance Status Form Report on Compliance Service Provider Compliance Status Form QDSC Provides Directly to Visa Andrea Del Miglio Symantec Corporation PCI Data Security Standard 15
16 What Can Be Expected During an Onsite Assessment Qualified assessors are 100% dependant on the merchant or service provider PCI DSS is comprehensive, therefore it takes time to complete PCS DSS testing procedures are focused on validation of practices, not blindly accepting statements from customers Requires considerable participation from the merchant or service provider Access to customer resources is a key success factor Andrea Del Miglio Symantec Corporation PCI Data Security Standard 16
17 PCI Penalty Structure Reactive penalties Penalties are levied after a compromise of cardholder data Penalties effect acquirers and issuers directly due to contractual relationship and network connections to payment card firms Non-compliant merchants and service providers may receive penalties indirectly from their upstream acquirer Penalties Fines: Egregious violations up to $500k Forensics investigation costs Issuer/Acquirer losses Dispute resolution costs Operating restrictions on merchants Operating restrictions on service providers Visa s Compliance Acceleration Program (CAP) Fines for acquirers who have not validated that full track data is not being retained by their Level 1 Merchants by September 30, 2006 Acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. Acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant. Andrea Del Miglio Symantec Corporation PCI Data Security Standard 17
18 PCI DSS 1.1 Andrea Del Miglio Symantec Corporation PCI Data Security Standard 18
19 PCI Data Security Standard v1.1 Build and Maintain a Secure Network 1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5) Use and regularly update anti-virus software 6) Develop and maintain secure systems and applications Implement Strong Access Control Measures 7) Restrict access to cardholder data by business need-to-know 8) Assign a unique ID to each person with computer access 9) Restrict physical access to cardholder data Regularly Monitor and Test Networks 10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes Maintain an Information Security Policy 12) Maintain a policy that addresses information security Andrea Del Miglio Symantec Corporation PCI Data Security Standard 19
20 Requirement 1.1 Firewall Configuration Standards Estabilish configuration standards that include: Configuration standards for all router and firewalls Approval process for all external connections and firewall changes Up-to-date network diagram (including WLANs) Firewall separing network segments (Internet from DMZs from internal network...) Description of groups, roles and responsibilities for logical management of network components Documented list of services/ports necessary for business, with specific justification for protocols not related to HTTP, SSL, SSH and VPN Quarterly review of firewall/router rule set Andrea Del Miglio Symantec Corporation PCI Data Security Standard 20
21 Requirement 1.2 Firewall Configuration Settings Build a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment Audit must verify that only documented protocols are allowed in running configuration (see req. 1.1) Checks must be done for both inbound and outbound traffic Check a sample of: devices between the Internet and the DMZ devices between the DMZ and the internal network Andrea Del Miglio Symantec Corporation PCI Data Security Standard 21
22 Requirement Network segmentation and firewall rules Restrict connections between publicly accessible servers and any system storing cardholder data: Use a deny-all default policy Restrict inboud IP traffic to servers in DMZ Resctirct egress traffic to necessary protocols Restrict DMZ access from the internal network passing from the Internet Use stateful inspection Secure and synchronize router configuration files Place DB servers in the internal network Segregate WLANs from the cardholder data environment Use personal firewalls on employees PCs Prohibit direct public access between external networks and any system component that stores cardholder data Use RFC 1918 addresses Andrea Del Miglio Symantec Corporation PCI Data Security Standard 22
23 Requirement Audit procedures Network Architecture: Examine updated network diagram (see req. 1.1) for consistent segregation Firewall Review: Include ALL firewalls Review configuration files for ingress and egress rules for consistency with firewall policies Verify default policy which needs to be deny-all Evaluate protocols to determine necessity Personal firewall on laptops audit configuration of a sample population Andrea Del Miglio Symantec Corporation PCI Data Security Standard 23
24 Changes in PCI DSS v1.1 Terminology changes More consistent use of terms Attempted to remove vague terms (regularly, periodically, etc.) Provided more guidance Applicability guide for data elements PCI audit scoping Applicability for hosting providers Compensating controls Modified twenty six (26) existing requirements Added four (4) new requirements Andrea Del Miglio Symantec Corporation PCI Data Security Standard 24
25 New PCI Requirements Requirement Hosting provider applicability Focused on shared hosting providers, not merchants who outsource Focus on proper segmentation of hosted entities Requirement Spyware and adware Current anti-virus deployment must detect, remove, and protect against other malicious software, including spyware and adware. Requirement 6.6 Web application security Source code reviews are performed and/or application-layer firewall in front of application(s) Becomes a requirement June 30, 2008 Requirement Management of connected entities Focus on service providers and credit card processors Program in place Policies Procedures Documentation Andrea Del Miglio Symantec Corporation PCI Data Security Standard 25
26 Top reasons for non-compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 26
27 Where is this data coming from? Telecommunications Global retailers Brick and mortar E-commerce Credit card issuers Internet service providers Financial services Cable and content providers Manufacturing Airlines Insurance Entertainment Fulfillment Education State & local government Andrea Del Miglio Symantec Corporation PCI Data Security Standard 27
28 Top 10 Reasons for Non-compliance 1. Inconsistent host hardening 2. Deficient logging practices 3. Deficient network management 4. Unencrypted cardholder data 5. Deficient security policies 6. Lack of identity management program 7. Deficient data retention practices 8. Poor vendor management (contracts) 9. Deficient encryption management practices 10. Patch management NOTE: Based on volume not security risk or compliance impact Andrea Del Miglio Symantec Corporation PCI Data Security Standard 28
29 The Top 5- A Closer Look: #1 #1: Inconsistent host hardening PCI DSS maintains focus on infrastructure Decentralized silo-style management Lack of secure build and management process No compliance monitoring program Solution Standardize build policies and process Centralized compliance management solution Centralized access control and logging Andrea Del Miglio Symantec Corporation PCI Data Security Standard 29
30 The Top 5- A Closer Look: #2 #2: Deficient logging practices Need to be able to identify, quantify, and react to security breaches Servers and applications are not configured to log enough data Logs aren t being centrally or securely stored Inadequate log data retention Missing logs due to configuration errors Solution Configure logging properly Centralized logging & monitoring Log file retention program Outsource security monitoring Andrea Del Miglio Symantec Corporation PCI Data Security Standard 30
31 The Top 5- A Closer Look: #3 #3: Deficient network management PCI DSS focuses on perimeter network security for the cardholder data environment Network access controls Segmentation Configuration management Organizations lack configuration management procedures for firewall ACLs Organizations don t document firewall configuration and operational procedures Cardholder data isn t treated differently Solution Create detailed firewall configuration and management procedures Isolate cardholder datastores from systems and users that don t require direct access Andrea Del Miglio Symantec Corporation PCI Data Security Standard 31
32 The Top 5- A Closer Look: #4 #4: Unencrypted cardholder data Encryption is expensive and difficult Legacy systems don t support encryption Organizations don t know where all the data resides Solution Never store data you don t need Application-level encryption, database package encryption, or encryption appliances Destroy sensitive data once unneeded Andrea Del Miglio Symantec Corporation PCI Data Security Standard 32
33 The Top 5: A Closer Look #5: Deficient security policies PCI validates existence and scope of policies Organizations haven t created all the required policies Policies don t meet PCI requirements Solution Collect all regulatory and industry requirements that impact you Identify commonality Create policies Policy management tools Manually Educate staff Andrea Del Miglio Symantec Corporation PCI Data Security Standard 33
34 Root Causes for Non-compliance Organizations often unknowingly collect sensitive data Organizations don t understand the extent of their cardholder environment Organizations don t understand who this sensitive data is being shared with Reactive rather than proactive approach to PCI compliance Bottom-up approach to PCI compliance instead of top-down Immature information security programs Andrea Del Miglio Symantec Corporation PCI Data Security Standard 34
35 Strategies for achieving compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 35
36 Achieve Compliance by Reducing Scope PCI Data Security Standard (DSS) is two years old Organizations cardholder environments pre-date the PCI DSS The more systems that collect, process, and store cardholder data the larger the scope Large scopes typically result in compliance failure Heterogeneous networks and systems Decentralized business process management Infrastructure management by silo More chance to just make a dumb mistake Cardholder data is different from other corporate data and should be managed differently Reduced Scope = Fewer Moving Parts = Path to PCI Compliance Andrea Del Miglio Symantec Corporation PCI Data Security Standard 36
37 How to Reduce Scope Physical and logical segmentation Isolate credit card systems from all other internal network segments Implement strong network access controls to enforce least privilege access control model Defense in depth Centralization Consolidate cardholder datastores Databases Local file storage Minimize cardholder data footprint to only the systems that have a business need Stop the propagation of cardholder data to non-payment card related systems Standardization Standard method of communicating with business partners Standard encryption services Standard transport services Standard application platforms Operating systems Database applications Application servers Andrea Del Miglio Symantec Corporation PCI Data Security Standard 37
38 Example Success Stories Data sensitivity driven network architecture and access control model Evolution to a services-based application architecture Eliminated silo business process architectures Eliminated integration points and unnecessary datastores Scalable Complete centralization on mainframe Single access model Single database model Minimal external communication Outsource model Risk and liability managed through contracts Nearly zero cardholder data footprint Specialized encrypted storage solution for all non-database storage Focus on culture and behavior change Andrea Del Miglio Symantec Corporation PCI Data Security Standard 38
39 Symantec PCI Consulting Services Andrea Del Miglio Symantec Corporation PCI Data Security Standard 39
40 Symantec Payment Card Industry Services Providing organizations with industry-leading security expertise and proven methodologies to effectively plan, assess and execute PCI data security programs PCI Security Audit Service PCI Security Scanning Service PCI Compliance Readiness Review PCI Payment Application Best Practices Assessment Strategic and Tactical PCI Consulting Andrea Del Miglio Symantec Corporation PCI Data Security Standard 40
41 Symantec Differentiators People Security experts, not checklist auditors Average PCI consultant has 10 years security experience Comprehensive subject matter expertise Infrastructure security Application security Security program development Management approach Act as Trusted Advisor for all security needs Focus on customer needs Dedicated management team Results Clear and concise feedback Tailored ACTIONABLE recommendations Methodologies Designed to provide real value and increased ROI Designed to assist customers meet their short-term and long-term security goals Company Depth and breadth of security expertise at customer s disposal Executive support Products and services to meet any IT security need Symantec products and services can help you achieve compliance for all PCI requirements Andrea Del Miglio Symantec Corporation PCI Data Security Standard 41
42 PCI Resources Symantec PCI Services: Symantec Compliance Solutions: Symantec PCI contacts for Italy: PCI Security Standards Council: Andrea Del Miglio Symantec Corporation PCI Data Security Standard 42
43 T h a n k Y o u! 2007 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. Andrea Del Miglio Symantec Corporation PCI Data Security Standard 43
Josiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationIntroduction to PCI DSS
Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationIntroduction to PCI DSS Compliance. May 18, 2009 1:15 p.m. 2:15 p.m.
Introduction to PCI DSS Compliance May 18, 2009 1:15 p.m. 2:15 p.m. Disclaimer The opinions of the contributors expressed herein do not necessarily state or reflect those of the National Association of
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationThe PCI DSS Compliance Guide For Small Business
PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationMarch 2012 www.tufin.com
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More informationFrequently Asked Questions
Contents CISP Program Overview... 2 1. To whom does CISP apply?...2 2. What does VISA define as "cardholder data"?...2 3. What if a merchant or service provider does not store Visa cardholder data?...2
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationCredit Cards and Oracle E-Business Suite Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationPayment Card Security
Payment Card Security January 31, 2008 Kieran Norton, Senior Manager Security & Privacy Services, Deloitte & Touche LLP Focus of the Presentation PCI Overview Background Current Environment Key Considerations
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationEstablish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions
Providing stronger security practices that enable PCI Compliance and protect cardholder data. Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions Highlights Offers pre-assessment
More informationMEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM
MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM PCI DSS 1.1 compliance requirements demand a new level of administration and oversight for merchants, banks and service providers to maintain
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationLa règlementation VisaCard, MasterCard PCI-DSS
La règlementation VisaCard, MasterCard PCI-DSS Conférence CLUSIF "LES RSSI FACE À L ÉVOLUTION DE LA RÉGLEMENTATION" 7 novembre 07 Serge Saghroune Overview of PCI DSS Payment Card Industry Data Security
More informationPCI DSS Presentation University of Cincinnati
PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationUsing Skybox Solutions to Achieve PCI Compliance
Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationPayment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance
More informationNet Report s PCI DSS Version 1.1 Compliance Suite
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationPayment Card Industry Data Security Standard (PCI DSS) v1.2
Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview
More informationPCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationPayment Card Industry Data Security Standard Explained
Payment Card Industry Data Security Standard Explained Agenda Overview of PCI DSS Compliance Levels and Requirements PCI DSS in More Detail Discussion, Questions and Clarifications Overview of PCI-DSS
More information1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education
PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI
More informationPayment Card Industry Compliance Overview
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.1 Revision 1.1 July 2015 Section 1: Assessment
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationPayment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPayment Card Industry (PCI) Compliance A QSA Perspective
Payment Card Industry (PCI) Compliance A QSA Perspective Agenda Introduction Getting Started Data Flows Gap Assessment Remediation What is Payment Card Industry (PCI)? Industry imposed mandate to secure
More informationWHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI
WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version
More information