Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda
|
|
- Camron Barton
- 8 years ago
- Views:
Transcription
1 2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR Connecting Great Ideas and Great People Agenda Introduction of Speakers Overview of PCI Standards The Bank s Perspective Insight from an AMS Company Tales of an Association CFO 1
2 Why all the fuss? PCI Compliance by merchants is mandatory by July, So what if we aren t compliant by July 2010? What are the consequences? How do I get my arms around these regulations and get PCI compliant? Twelve PCI/DSS Requirements #1 - Install & maintain a firewall configuration to protect cardholder data Establish firewall & router configurations that restrict access to cardholder information. Create DMZ for cardholder data. Implement personal firewalls for laptops p p p p and mobile connections to data. 2
3 Twelve PCI/DSS Requirements #2 Do not use vendor supplied defaults for system passwords and other security parameters Change vendor supplied password defaults before installing system on network. Change wireless vendor supplied defaults if wireless used. Disable all unnecessary functions and services. Twelve PCI/DSS Requirements #3 Protect stored cardholder data Keep cardholder data stored to a minimum. Do not store full magnetic strip data and encrypt data stored. Keep following information: Cardholder name Primary account number (masked) Expiration date Service code 3
4 Twelve PCI/DSS Requirements #4 Encrypt transmission of cardholder data across open, public networks Use SSL/TLS or IPSEC For wireless networks WEP encryption no longer allowed after June 30, Never send unencrypted end user information (PAN) by , IM or chat. Twelve PCI/DSS Requirements #5 Use & regularly update anti-virus software or programs Deploy anti-virus software to all on all systems. Ensure anti-virus programs are running and regularly updated. 4
5 Twelve PCI/DSS Requirements #6 Develop & maintain secure systems & applications Ensure all systems & applications have latest vendor supplied patches & updates. Develop applications that are PCI/DSS compliant and ensure all 3 rd party applications have met PCI/DSS requirements. Separate development & test environments from production. Develop all web apps using secure coding guidelines such as Open Web Application Security Guide. Twelve PCI/DSS Requirements #7 Restrict access to cardholder data by business need to know Provide access only to staff whose jobs require such access. Default deny all setting to user access. 5
6 Twelve PCI/DSS Requirements #8 Assign a unique ID to each person with computer access In addition to unique ID employ at least one of following authentication methods: Strong password Two-factor authentication (i.e., token devices, smart cards, biometrics, etc.) Render all passwords unreadable with encryption. Do not allow group or shred passwords. Change passwords every 90 days. Make idle sessions of 15 minutes time out. Twelve PCI/DSS Requirements #9 Restrict physical access to cardholder data Use appropriate physical access controls. Use video or other access control methods to monitor physical access. Develop procedures to quickly identify visitors from staff. Sore media for backups securely, destroy when no longer needed and encrypt data stored. 6
7 Twelve PCI/DSS Requirements #10 Track & monitor all access to network resources and cardholder data Lik Link admin privileges iil to idiid individuals. Implement automated audit trails & secure so they cannot be changed or deleted. Review all system logs daily. Use file monitoring or change detection software logs. Twelve PCI/DSS Requirements #11 Regularly test security systems & processes Test for rogue wireless access points. Run internal and external network scans (minimum by approved ASV every 6 months). Perform internal & external network and application tests. Use intrusion detection systems. 7
8 Twelve PCI/DSS Requirements #12 Maintain a policy that addresses information security for employees and contractors Establish & maintain i a formal security policy that: t Addresses al PCI/DSS requirements. Includes an annual formal risk assessment. Annual review for changes. Develop and publish acceptable use policies. Establish control team for information security. Implement formal security education awareness program. Maintain continual review of 3 rd party providers. Security Standards d for Payment Card Industry Is your company PCI DSS compliant? Kimberly Bonzelaar Senior Vice President Capital One Merchant Services American Society of Executives Finance and Business Operations Symposium May
9 Data Compromise Trends Visa estimates that 85% of all breaches occur at small businesses* External hacking and malware (viruses and harmful software) are on the rise Point-of-Sale systems with backend databases storing card numbers continue to be a favorite target for hackers and crooks Source: * How Breaches Occur The vast majority of breaches are a result of hacks which exploit security weaknesses in customer networks that allow access to payment devices and databases Data breaches not just due to hacks: Improper data handling; e.g., lost disks/laptops, paper p files Lack of a clear security policy; e.g., lack of well defined access controls, password policy, change management, background checks, etc. 9
10 Top 5 Causes of Credit Card Data Breaches 1. Storage of prohibited data 2. Un-patched systems 3. Vendor default settings and passwords (i.e., unsecured wireless networks) 4. Poorly coded Web applications resulting in SQL injection attacks; e.g., dummy account on top of your real account 5. Unnecessary services on servers; e.g., software products not being used Data What can and cannot be stored? Storage Permitted Protection Required Cardholder data Account Number Yes Yes Cardholder Name Yes Yes Expiration Date Yes Yes Authentication Data Magnetic Stripe No N/A CVV No N/A PIN Data No N/A 10
11 Increasing Data Compromise Trends Indicate Lack of awareness of data security requirements and responsibilities Failure to upgrade older systems and technologies on a regular basis Hackers getting smarter PCI DSS Getting Tough on Data Security Standards maintained and enforced by PCI Security Standards Council It is all about Cardholder Data Security Set of 12 standards to ensure Data Protection Visit to learn more 11
12 Who Needs to Worry about PCI DSS? Any entity that stores, processes or transmits cardholder data: Merchants Service providers (issuers/acquirers/processors/third party providers) Annual compliance requirements for all entities storing data Compliance with PCI DSS All merchants must comply with PCI DSS requirements as mandated by the Card Associations Acquirer is responsible to ensure merchants are compliant Heavy fines ranging from $5,000 to $50,000 and beyond for non-compliance 12
13 PCI DSS Compliance Requirements All 12 PCI DSS requirements address the following main security issues: Network Environment building and maintaining a secure network Data Storage Security access controls, encryption and data transfer Security Policy comprehensive policy for testing and maintaining i i secure payment channels PCI DSS Plan Make sure your acquirer utilizes a third-party vendor that is certified as an approved PCIcompliant scanning vendor Complete any required risk assessments, selfassessment questionnaires and network scans where applicable 13
14 How You Can Help Educate your members about the importance of data security Guide your members to the right resources for PCI Compliance Use PCI Compliance measures as a tool to promote the value your association brings to your members Questions Kimberly Bonzelaar Senior Vice President Capital One Bank Merchant Services Kimberly.Bonzelaar@capitalonebank.com This presentation is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N. A. or any of its subsidiaries or affiliates, and is without any warranty whatsoever Capital One. Member FDIC. All rights reserved. 14
15 PCI Requirements for Payment Application Installation and Usage Using the PA-DSS Implementation Guide to Ensure PCI-DSS Compliance Richard Eggleston Senior Project Director TMA Resources American Society of Executives Finance and Business Operations Symposium May 2010 Introduction Richard Eggleston Principal Project Manager with TMA Resources, Inc. since January Managed the PA-DSS compliance certification for TMA Resources Personify software. Support internal and external clients with the evolving PCI standards. 15
16 Introduction to PCI PA-DSS Effective July 1, 2010 all merchants must use PA-DSS compliant applications. (Visa) In scope applications are most commercial applications that store, process, or transmit cardholder data as part of an authorization for payment. Payment applications should facilitate, t and not prevent, the customers' PCI Data Security Standard compliance. Examples of Non-Compliant Applications Store magnetic stripe data after authorization. Require disabling other features required by the PCI Data Security Standard, like anti-virus software or firewalls, in order to get the payment application to work properly. An application vendor s use of unsecured methods to connect to the application to provide support. 16
17 Purpose of the PA-DSS Implementation Guide To instruct customers and resellers/integrators on secure product implementation. To document the secure configuration specifics required for a compliant installation. To clearly delineate vendor, reseller/integrator, and customer responsibilities for meeting PCI Data Security Standard requirements. PA-DSS Implementation Guide Topics Delete cardholder data stored by previous versions of the payment application. Delete any sensitive authentication data (preauthorization) gathered as a result of troubleshooting the payment application. Purge cardholder data after customer-defined retention ti period. 17
18 PA-DSS Implementation Guide Topics Delete cryptographic key material or cryptograms stored by previous versions of the payment application. Use unique usernames and secure authentication for administrative access to the payment application and also for any access to cardholder data. Implement automated audit trails. PA-DSS Implementation Guide Topics Implement secure wireless technology. Secure transmissions of cardholder data over wireless networks. Store cardholder data only on servers that are not connected to the internet. Securely deliver remote payment application software updates. 18
19 PA-DSS Implementation Guide Topics Implement two-factor authentication for remote access to the payment application. Securely implement remote access software. Secure transmissions of cardholder data over public networks. Encrypt cardholder data sent over end-user messaging technologies. Encrypt non-console administrative access. Questions & Resources PCI Council website Visa Merchants website ement/cisp_merchants.html Visa Payment Applications ement/cisp_payment_applications.html 19
20 An Association Perspective in PCI Compliance Tales from the trenches of a CFO Judy Durham CFO - NPES American Society of Executives Finance and Business Operations Symposium May 2010 About NPES Three associations working under one network: Three associations working under one network: NPES-Trade Association ($5 mil budget) GASC-Show Company ($20 mil budget) GAERF-Foundation ($300K budget) 28 employees Database conversion from GoMembers to Personify (Live on March 1, 2009 Great Plains General Ledger Located in Reston, VA S T B k (Ch ki A d M h S i ) SunTrust Bank (Checking Accounts and Merchant Services) NPES has in house IT Manager who has worked on PCI compliance issues Nortec Outside Network Support 20
21 The PCI Compliance Journey. Selected Security Metrics Support If you store credit card information electronically: Merchant SAQ Validation Type: 5 You will need to enroll in the Quarterly Site Certification, which includes the following service: 12-month service PCI approved external vulnerability scanning Online PCI Self-Assessment Questionnaire (SAQ) Scans performed automatically each quarter Unlimited rescanning Unlimited calls to customer/technical support Use of Site Certified logo Automatic acquirer reporting The PCI Compliance Journey. Ongoing efforts to compliance: Have to update application for each issues addressed Have to update application for each issues addressed Had issues with ISP secure connection My thoughts: This can/will be much bigger process than you think Get the assistance of an outside vendor to help you determine all areas that will need to be addressed The process you take you longer than you anticipated get started NOW! 21
22 Contact Information: Cort M. Kane COO, designdata Phone: Website: Connecting Great Ideas and Great People Questions This presentation is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N. A. or any of its subsidiaries or affiliates, and is without any warranty whatsoever Capital One. Member FDIC. All rights reserved. 22
PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationImplementation Guide
Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationParallels Plesk Panel
Parallels Plesk Panel Copyright Notice Parallels Holdings, Ltd. c/o Parallels International GmbH Vordergasse 59 CH-Schaffhausen Switzerland Phone: +41-526320-411 Fax: +41-52672-2010 Copyright 1999-2011
More informationMinnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationA MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
More informationPCI Compliance Training
PCI Compliance Training 1 PCI Training Topics Applicable PCI Standards Compliance Requirements Compliance of Unitec products Requirements for compliant installation and use of products 2 PCI Standards
More informationPA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing
for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationPayment Card Industry - Data Security Standard (PCI-DSS) Security Policy
Payment Card Industry - Data Security Standard () Security Policy Version 1-0-0 3 rd February 2014 University of Leeds 2014 The intellectual property contained within this publication is the property of
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationQualified Integrators and Resellers (QIR) Implementation Statement
Qualified Integrators and Resellers (QIR) Implementation Statement For each Qualified Installation performed, the QIR Employee must complete this document and confirm whether the validated payment application
More informationAchieving PCI-Compliance through Cyberoam
White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationGeneral Standards for Payment Card Environments at Miami University
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
More informationCredit Card Security
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPayment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security
Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationpaypoint implementation guide
paypoint implementation guide PCI PA-DSS Implementation guide 1. Introduction This PA-DSS Implementation Guide contains information for proper use of the paypoint application. Point Transaction Systems
More informationVisa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)
Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP) This document is to be used for payment application vendors to validate that the payment application
More informationCredit Cards and Oracle E-Business Suite Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
More informationDid you know your security solution can help with PCI compliance too?
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
More informationPDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)
PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management
More informationPA-DSS Implementation Guide. Version 1.2.1. Document Owners. Approval Date: January 2012
v Tuition Express PA-DSS Implementation Guide Version 1.2.1 Approval Date: January 2012 Document Owners Brad Olson Operations Director Darren Gapp Chief System/Software Engineer Procare Software Tuition
More informationPayment Card Industry Self-Assessment Questionnaire
How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationPCI DSS Compliance Guide
PCI DSS Compliance Guide 2009 Rapid7 PCI DSS Compliance Guide What is the PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As a result,
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationTechnical breakout session
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
More informationPCI Quick Reference Guide
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
More informationEnforcing PCI Data Security Standard Compliance
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPCI Quick Reference Guide
PCI Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 1.2 For merchants and organizations that store, process or transmit cardholder data Contents Copyright 2008
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationTop Three POS System Vulnerabilities Identified to Promote Data Security Awareness
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationPolicies and Procedures
Policies and Procedures Provided by PROGuard The following are policies and procedures which need to be enforced to ensure PCI DSS compliance. In order to answer yes to the questions and pass the SAQ,
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationLeveraging PCI to Manage Risks of Accepting Credit Cards. Not-for-Profit Webinar Series March 10, 2015
Leveraging PCI to Manage Risks of Accepting Credit Cards Not-for-Profit Webinar Series March 10, 2015 Steve Earley, CISA, CISSP, CRISC, CFSA, ITILv3, MCP Senior Manager, IT Audit, Internal Audit and Risk
More informationCatapult PCI Compliance
Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPresented By: Bryan Miller CCIE, CISSP
Presented By: Bryan Miller CCIE, CISSP Introduction Why the Need History of PCI Terminology The Current Standard Who Must Be Compliant and When What Makes this Standard Different Roadmap to Compliance
More informationAIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009
AIS Webinar Payment Application Security Hap Huynh Business Leader Visa Inc. 1 April 2009 1 Agenda Security Environment Payment Application Security Overview Questions and Comments Payment Application
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationCREDIT CARD SECURITY POLICY PCI DSS 2.0
Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationHow To Protect Data From Attack On A Network From A Hacker (Cybersecurity)
PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationPayment Card Industry (PCI) Compliance. Management Guidelines
Page 1 thehelpdeskllc.com 855-336-7435 Payment Card Industry (PCI) Compliance Management Guidelines About PCI Compliance Payment Card Industry (PCI) compliance is a requirement for all businesses that
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationWhite Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance
White Paper Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance Executive Overview
More informationWindows Azure Customer PCI Guide
Windows Azure PCI Guide January 2014 Version 1.0 Prepared by: Neohapsis, Inc. 217 North Jefferson St., Suite 200 Chicago, IL 60661 New York Chicago Dallas Seattle PCI Guide January 2014 This document contains
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More information2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationParallels Plesk Panel
Parallels Plesk Panel Contents Introduction 3 Tune Panel to Meet PCI DSS 5 Linux-based Servers... 6 Microsoft Windows-based Servers... 10 Tune Business Manager to Meet PCI DSS 13 Remove Unprotected Sensitive
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationPCI DSS v2.0. Compliance Guide
PCI DSS v2.0 Compliance Guide May 2012 PCI DSS v2.0 Compliance Guide What is PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPayment Card Industry Data Security Standards.
Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationPCI COMPLIANCE GUIDE For Merchants and Service Members
PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1 Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT...
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationPCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing Contents PCI DSS Quick Reference
More information