PCI Compliance is More Than a Matter of Dollars (and Sense) Are Your Clients Properly Protected Against Lost or Stolen Data?
|
|
- Elfrieda Henry
- 8 years ago
- Views:
Transcription
1 PCI Compliance is More Than a Matter of Dollars (and Sense) Are Your Clients Properly Protected Against Lost or Stolen Data?
2 Overview Every electronic transaction creates an opportunity for unscrupulous activities to occur. When these activities are corrupted, the damage can be significant; ranging from a simple one-time illegal purchase by a clerk or waitress using a customer s credit information, to a full-blown identity theft using thousands (even millions) of people s stolen personal data. Neither situation is desirable or tolerable in the business community, especially when both can be prevented or curtailed with the implementation of industry-proven security best practices and the proper systems. That s why businesses that deal with credit transactions must remain particularly diligent, addressing each of the specific danger areas associated with processing. Without the proper security processes and technologies in place, their client data could be compromised or stolen, and the repercussions of a breach go much further than lost customer confidence. Lawsuits and financial restitution can be significant, especially if the activity is the result of the retailer not following well publicized best practices. In order to provide greater guidance to businesses that accept credit cards and ensure that their clients are properly protected, the major payment card organizations established a set of standards that have been implemented over the past few years. American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. came together to create the Payment Card Industry Data Security Standard (PCI DSS). These rules provide an actionable framework for securing payment card data, including deterrence, discovery and the appropriate response to breaches and other security-related events. PCI DSS version 2.0 (implemented January 1,, 2012) applies equally to all businesses that store, process or transmit bank cardholder data. Failure to comply with these rules can result in hefty penalties, regardless of a merchant s intent or lack of awareness. The latest version extends the implementation, feedback, review and revision processes to a three-year cycle (previously two-years), and updates key security provisions including firewall protection, password and key management, and related documentation. These standards impact a number of organizations that participate in retail operations, including merchants, payment card issuing banks, processors, developers and technology vendors. Of course, solution providers who support these businesses play a major part in PCI DSS, ensuring that their clients (as well as their end user customers) understand the systems and protection required to fulfill their obligations. 2
3 VARs and managed services providers have a tremendous opportunity with retailers, as long as they can offer solid guidance, implementation and support services needed to appropriately address these standards. The Basics of PCI DSS In order to help merchants navigate and better understand the conditions and implications of these standards, the PCI Security Standards Council has taken great pains to distribute the most critical information to everyone involved. Despite their efforts, the material can be cumbersome and hard for many retailers to comprehend. That s where solution providers can really excel, filtering out the critical details and offering sound advice to help merchants meet the compliance requirements that pertain to their particular organizations. Even though the PCI Security Standards Council developed the specific standards addressed in this paper, compliance is actually mandated by the individual payment card companies. Visa, MasterCard, American Express, Discover and JCB International each have their own specific requirements and compliance levels. While many of these are minor, solution providers need to understand the nuances of each to ensure their clients are aptly protected. For example, while PCI DSS compliance is divided into four general merchant categories, each credit card company may add their own stipulations to each. Solution providers who service the retail vertical need to not only understand the differences, but to ensure their clients payment processes adhere to those variations. The general PCI DSS categories include: Compliance level 1: Those who process more than 6,000,000 transactions per year, as well as those with a previous security violation/data breach or who have been listed as category 1 by a particular credit card company. This status requires yearly on-site reviews by an internal auditor, as well as a network scan by an approved scanning vendor (ASV). Compliance Level 2: Businesses with between 150,000 to 6,000,000 transactions per year. Merchants must complete an annual Self-Assessment Questionnaire (SAQ) and submit to a network scan using an approved scanning vendor. 3
4 Compliance Level 3: Retailers that process 20,000 to 150,000 transactions per year. Also requires annual completion of a SAQ and a network scan with an approved scanning vendor. Compliance Level 4: Merchants with less than 20,000 transactions per year. Same annual requirements as Level 2 and Level 3 merchants. Although they conduct the fewest transactions, Compliance Level 4 retailers make up approximately 99% of the businesses that process credit cards in the United States and typically have the least amount of IT support. The lack of a dedicated onsite IT security professional presents a serious risk for retailers, and a significant opportunity for solution providers with PCI DSS skills. With many businesses lessening their dependence on cash only policies, and others moving to cashless transactions, the focus on PCI DSS compliance is expected to intensify. Since every company that accepts credit must obey the standards, its prevalence presents a great new specialty practice opportunity for VARs and MSPs. Of course, the first thing solution providers need to know is the three critical steps in PCI DSS compliance. 1. PCI DSS compliance: 1. Assess: identify cardholder data, inventory the company s IT assets and business processes for payment card processing, and analyze each for security weaknesses. 2. Remediate: address perceived vulnerabilities and remove unneeded cardholder data. 3. Report: compile and submit remediation authentication records (if applicable), and provide compliance reports to each bank and payment card company they do business with. PCI DSS standards mirror the practices that security-oriented solution providers already employ, following industry practices to properly protect the data and infrastructure of their business customers. While some of the terms and acronyms used 4
5 by retailers and payment processing vendors may be unique, the basic processes and technologies required to secure their information and infrastructure don t differ significantly. 2. The Solution Provider Role (and Accountability) While PCI DSS can be complicated for the novice solution provider, the payment card industry understands the important part they play in compliance. To help those who build and support secure payment applications, the PCI Security Council created a number of compliance-related resources and programs. That includes the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications to select from, along with Self-Assessment Questionnaires that allow merchants to authenticate their current security procedures. Compliance goes beyond credit card processing systems. It extends to the network, data storage infrastructure and any method involved in the management or transport of customer data, with responsibility falling on the merchant and those who support it. Solution providers who fail to implement PCI DSS compliant solutions may find themselves liable (at least in part) for any damages their clients and their customers suffer. Fines levied by banks and credit card institutions on noncompliant merchants can range from $5,000 to $500,000, and lawsuits from compromised end user data can push those costs much higher. To be successful in the retail vertical, solution providers just need to follow the six control objectives for PCI DSS: 1. Build and Maintain a Secure Network Install and maintain an effective firewall configuration to protect cardholder data Avoid vendor-supplied defaults for system passwords and related protection measures 2. Protect Cardholder Data Protect all stored cardholder data Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program 5
6 Employ and update anti-virus software on a continual basis Develop and maintain secure systems and solutions 4. Implement Strong Access Control Measures Restrict access to cardholder data by business necessity Assign a unique identification to each person with system and network access Restrict physical access to cardholder data (door locks, alarms and other safeguards) 5. Regularly Monitor and Test Networks Track and monitor all access to networks, applications and cardholder data Regularly test system protection and processes 6. Maintain an Information Security Policy Maintain a policy that addresses data security To address the specific requirements of PCI DSS, providers need to validate every procedure and technology solution their clients use in electronic payments, from the card swipe device to their data storage policies. That attention to detail must also include a continual review of all vendor offerings, verifying that their data protection methods are effective and identifying (and fixing) potential vulnerabilities. The same diligence is required when it comes to evaluating cloud applications and offsite storage services. By ensuring that vendor offerings are PCI DSS compliant when properly implemented, and periodically validating those systems security settings, solution providers fulfill a big part of their responsibilities. Of course, they still need to work closely with suppliers to communicate potential risks, failures or other issues that could compromise the security of their clients data. 3. Concerns and Opportunities Related to PCI DSS Every new business practice comes with some risk. Solution providers who add a retail specialty to their portfolio have to pay careful attention to the specific hazards associated with credit transactions. Since the most important aspects of PCI DSS are data protection and network security, most channel professionals have at least the basic skills needed to support this market. 6
7 Understand the Language The hardest part for most new entrants is learning the industry vernacular, especially the terms relating to electronic payment processing. No solution provider should make their first retail sales call without a full understanding of chargebacks, acquirers and merchant agreements. The acronyms used in the payment processing world are abundant and critical to the success of a PCI DSS expertise, from CVC2 (Card Validation Code) and TID (Terminal Identification Number) to SDP (Site Data Protection) and EFT (Electronic Funds Transfer). Solution providers can overcome the language barrier by engaging in PCI-related vendor or industry training, or by hiring an experienced professional who can develop an internal education program. Each employee involved in the design, sales, implementation and support of payment processing solutions should be proficient in the terminology, with an understanding of how each affects their business clients and their end user customers. Keep the Proper Focus The number one goal of any PCI DSS solution is ensuring end-to-end security, from the moment a customer pulls out their credit or debit card until the card-holder data is fully erased from the system. For a brick-and-mortar retailer that protection includes every employee who touches (or sees) the payment card and/or the information it contains. Solution providers need to stress the importance of this PCI DSS aspect with their clients, and offer best practice tips to minimize risk. For example, by adding mobile card readers at restaurants, their patrons can swipe their own cards at their table, preventing unscrupulous employees from copying the information in back rooms (or anywhere out of eyesight). Other physical security measures that should be implemented include proper system lockdown with a separate PIN for each employee. That not only makes it difficult for unauthorized individuals to gain access to the system and cardholder data, but allows business to better track their employees activities. Solution providers need to pay attention to a number of factors for full PCI DSS compliance, but by focusing on two specific areas they can meet the vast majority of requirements: 7
8 1. Protect stored cardholder data 2. Encrypt transmission of cardholder data across open, public networks. By amending a retailer s onsite payment processes and implementing the proper security technologies, solution providers can begin to meet the PCI DSS requirements, but that still leaves serious gaps outside the business. Has the network been locked down, with effective access protection? Is cardholder data stored improperly onsite, and do they use effective and secure data backup and recovery systems? That s an area where VARs and MSPs can really help their customers meet full PCI DSS compliance, implementing a full solution (from terminal to network support) that addresses each industry best practice and rule. When building a comprehensive retail practice, solution providers must carefully evaluate each part of their portfolio, adding or replacing the products or services that don t ensure their success. For example, does their cloud backup and recovery vendor meet the control requirements of PCI DSS? Can their wireless solutions provide the proper network protection? If not, it s usually easy to build a more effective system, or replace the vendor with one that understands (and can address) the challenges of retail businesses. With ongoing updates and maintenance to these solutions, providers can play a key role in their clients day-to-day and long-term business practices. That s a sure way to build a successful retail IT practice. 4. Validation Another key aspect of PCI DSS compliance is the required reporting schedules. Credit card companies validate that retailers and their providers are abiding by the regulations on an annual basis, with the volume of transactions (and risk) determining the depth of that evaluation (as covered previously in The Basics of PCI DSS ). Along with requiring participating businesses to complete a self-assessment questionnaire, MasterCard and Visa perform on-site visits and network scans performed by authorized PCI compliance scanning vendors. Solution providers can assist merchants in preparing these reports, preparing the details, schematics and even the policies to be used to meet compliance. The information contained in PCI DSS Reports includes: Summary of findings: a general statement and details of the security assessment 8
9 Business information: business description, contacts, and provider/processor details Card payment infrastructure: network schematics, transaction flow diagram, terminal and POS (point of sale) solutions employed, wireless network details Third-party relationships: companies with access to cardholder data, such as solution providers, banking institutions and payment card vendors Achieving PCI DSS Compliance with Intronis Cloud Backup and Recovery Intronis Cloud Backup and Recovery can help VARs and MSPs meet PCI DSS compliance regulations with a solution that provides cloud and local backup and data recovery, proactive data security and reliable data retention and restoration. With Intronis, service providers can offer their clients complete data protection services with support for files and folders, Microsoft Exchange Information Store, Exchange mailbox, SQL, System State and VMware images. Backups are highly automated and enable fast and easy restores and are performed from a single management console. Protection of Card Holder Data: Encryption in Storage and Transfer The Intronis solution was developed with PCI DSS compliance regulations in mind, protecting against threats to consumer privacy. Intronis offers VARs and MSPs a configurable solution to help their customers conform to these critical compliances and alleviate the security risks associated with data loss and breaches. Intronis minimizes the threat of lost or stolen data during the transfer and storage of data across open networks with multiple layers of encryption. Intronis uses 256-bit AES local file encryption and secures data in transit using 128-bit encryption with SSL (Secure Socket Layers) technology. Data that is moved to the cloud is stored and replicated in dual military-grade, SSAE 16 Type 2 certified data facilities which are located on differing coasts for redundancy and security. Data centers have 24/7 biometric controlled security and surveillance, backup generators and redundant connections to the Internet. Data Retention Intronis features the most robust data retention settings in the industry, enabling VARs and MSPs to offer a PCI DSS compliant-ready solution. Intronis configures to fit 9
10 the needs of different file types, number of revisions needed and required length of storage time so the right historical data is retained for the right period of time. Once stored, data is never accessible without a private encryption key which is never stored on the Intronis servers, mitigating the risk of unauthorized data access. Data Recovery and Testing Providng a PCI compliance solution requires the MSP to have the ability to test and restore customer data. This process must be easy and reliable to ensure compliance. With Intronis, service providers can restore data directly back to the customer s server, guaranteeing that data is recovered quickly and accurately, without the need to connect to the computer remotely or be onsite at the customer facility Performing a test restore is just as easy. Restore back to the customer s production server or the MSPs office, the process to test a restore is fast and reliable. Summary PCI DSS compliance is one of the largest challenges facing merchants, though it s just one of the many barriers to success. By creating a cost-effective consultation and solution practice powered by Intronis cloud and local backup, VARs and MSPs can capture new business and quickly become a crucial part of their new clients operations. PCI DSS expertise is just one part of a successful retail IT solution provider practice. A vast majority of these establishments are SMBs, with little or no internal IT support, creating a comprehensive support opportunity for VARs and MSPs. With the right technology and industry knowledge, a solution provider can enjoy long-term success in the retail vertical. For More Information on Intronis To help your clients meet PCI DSS compliance regulations, start a free trial of Intronis Cloud Backup and Recovery. Visit or call For More Information on PCI DSS Specific compliance and level validation questions should be directed to the retailer s acquiring financial institution. Only that company s particular financial institution can assign them a validation level. For more information, contact: 10
11 American Express: Discover Financial Services: MasterCard Worldwide: Visa Inc.: Visa Europe: 11
PCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationLa règlementation VisaCard, MasterCard PCI-DSS
La règlementation VisaCard, MasterCard PCI-DSS Conférence CLUSIF "LES RSSI FACE À L ÉVOLUTION DE LA RÉGLEMENTATION" 7 novembre 07 Serge Saghroune Overview of PCI DSS Payment Card Industry Data Security
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More information05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013
05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of
More informationPayment Card Industry Data Security Standards Compliance
Payment Card Industry Data Security Standards Compliance Please turn off, or to vibrate, all cell-phones/electronics Expected course length: 1 Hour Questions are welcomed. Who Created It? & What Is It?
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants
Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationTREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
More informationFREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program
FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationDartmouth College Merchant Credit Card Policy for Processors
Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationDartmouth College Merchant Credit Card Policy for Managers and Supervisors
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
More informationPayment Card Industry Data Security Standards.
Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationHow To Comply With The Pci Ds.S.A.S
PCI Compliance and the Data Security Standards Introduction The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of
More informationPCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014
PCI Data Security Standards Presented by Pat Bergamo for the NJTC February 6, 2014 Introduction 3/3/2014 2 Your Speaker Patrick Bergamo, CISSP Director of Information Security & Delivery Delta Corporate
More informationComplying with PCI is a necessary step in safely accepting Payment Cards.
What Every Director Needs to Know About Credit Cards & Patron Privacy Complying with PCI is a necessary step in safely accepting Payment Cards. Know the Risks! Some Interesting Facts: 94% of data breaches
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationUniversity Policy Accepting Credit Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting Credit Cards to Conduct University Business Purpose Brown University requires all departments that are involved with credit card handling to do so in compliance
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationHIPAA COMPLIANCE AND
INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationFREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program
FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program MERCHANTS Can Level 1 merchants currently use internal auditors to perform an onsite assessment? Yes. However, after June 30,
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationICCCFO Conference, Fall 2011. Payment Fraud Mitigation: Securing Your Future
ICCCFO Conference, Fall 2011 Payment Fraud Mitigation: Securing Your Future Presented by: Brian Irwin, CTP Vice President Fifth Third Bank Commercial Treasury Management And Claire Dittrich Executive Consultant-
More informationTOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series
TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationPCI DSS: An Evolving Standard
White Paper PCI DSS: An Evolving Standard PCI 3.0 and 3.1 Key Requirements Explained 2015 SecurityMetrics PCI DSS: An Evolving Standard 2 PCI DSS An Evolving Standard The Payment Card Industry Data Security
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationProperty of CampusGuard. Compliance With The PCI DSS
Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know
More informationSECTION: SUBJECT: PCI-DSS General Guidelines and Procedures
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationHow To Become A Pca Compliant Organization
Compliance Management Merchant Guide 2012 Stay Clear Of Fraud Are You Concerned About Data Security Risks? Security is a duty. Companies should remember that they are being trusted by consumers with their
More informationPDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)
PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management
More informationPCI COMPLIANCE GUIDE For Merchants and Service Members
PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1 Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT...
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationProtecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance
Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationMobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant
Seccuris is Canada s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk. We are agile, innovative, flexible, and
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationSecurityMetrics. PCI Starter Kit
SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationSecurityMetrics Vision whitepaper
SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,
More informationA Compliance Overview for the Payment Card Industry (PCI)
A Compliance Overview for the Payment Card Industry (PCI) Many organizations are aware of the Payment Card Industry (PCI) and PCI compliance but are unsure if they are doing everything necessary. This
More informationMEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM
MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM PCI DSS 1.1 compliance requirements demand a new level of administration and oversight for merchants, banks and service providers to maintain
More informationPCI: It Never Ends. Why?
PCI: It Never Ends. Why? How to stay prepared? Shekar Swamy American Technology Corporation St. Louis, MO January 13, 2011 PCI compliance basics It s all about Data Security 12 major areas of compliance
More informationPCI Compliance : What does this mean for the Australian Market Place? Nov 2007
Sense of Security Pty Ltd (ABN 14 098 237 908) 306, 66 King St Sydney NSW 2000 Australia Tel: +61 (0)2 9290 4444 Fax: +61 (0)2 9290 4455 info@senseofsecurity.com.au PCI Compliance : What does this mean
More informationProtect Data. Secure Business.
Achieve Payment Card Industry Data Standard Security (PCI DSS) compliance today, while advancing your network for the technology of tomorrow. Protect Data. Secure Business. Building Your Business With
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More information