White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity
|
|
- Aleesha Doyle
- 8 years ago
- Views:
Transcription
1 White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity
2 Table of Contents Introduction 1 Businesses are losing customer data 1 Customers are learning about these losses 1 The payment card industry suffers 1 What is PCI compliance? 2 Other industry standards 2 Scope of PCI DSS 2 PCI myths and assumptions 4 and the most dangerous myth: compliance vs. security Who should be interested in PCI? 4 PCI assessments 5 Implications and risks of non-compliance 5 Cost of data breaches 5 Other consequences of data breaches 5 Competitive advantages of being PCI compliant 6 Finding a PCI-compliant cloud services provider 6 What you need to look for in a hosting provider 6 Additional hosting provider performance criteria 7 Conclusion and call-to-action 7 About CompliancePoint 8
3 Introduction Whoever first said there s no such thing as bad publicity never had to deal with payment card security breaches. Businesses are losing customer data On May 21, 2013, the St. Louis Post-Dispatch reported that At least three lawsuits seeking class action status have been filed against (a Midwestern grocery chain) in the wake of the credit card breach that impacted an estimated 2.4 million cards, used at 79 stores, from early December to late March. The headline to the article claims the breach could cost the chain $80 million in Illinois alone. 1 Sometimes a news report doesn t even have to include numbers to indicate the seriousness of a situation. The U.S. government has sued (a major hotelier) over allegations that it failed to protect consumers credit card data, says a June 26, 2012 Huffington Post article. 2 Customers are learning about these losses None of these incidents are unusual. According to PrivacyRights.org, the number of personal records involved in security breaches since January 2005 is now more than 607,472,154. This number exceeds the current population of the Unites States. A recent Forbes Magazine article noted a record number of breaches 1,611 took place in This number is up a staggering 48 percent from Consumers are nervous. According to the same article, if they received a data breach notification in 2010, their odds of being a fraud victim were one in nine. Last year, that jumped to one in four. A 2013 Data Breach Investigative Report from Verizon analyzed 47,000 reported incidents and 621 confirmed data breaches that occurred during These incidents were drawn from over 44 million known incidents that year. This astonishing report outlines the increase in consumer fraud, the statistics involved in espionage attacks, and the length of time it takes to discover those attacks. Read the full report at: Increasing creativity from criminals explains only part of this number. Despite publicly reported horror stories like the ones above, far too many businesses remain blasé about the security of their own data. In doing so, they run unnecessarily high risks of business losses, legal liability, fines and other avoidable problems. The payment card industry suffers The Huffington Post also reported, back in February of 2012, on the fate of a payment card processing company: Visa Inc. has dropped the card processor involved in a massive data breach from its registry of providers that meet data security standards. White Paper: PCI DSS Compliance Page 1
4 (The CEO of a large payment processor) noted that the company continues to process Visa transactions, but that being dropped from the registry could give our partners some pause that they re doing business with someone who experienced a breach. (The CEO) said he expects (the payment processor) to be reinstated once it has been issued a new report of compliance. But he declined to specify when that might be. He said the situation is absolutely contained but that the investigation is continuing and that parts of it still need to be resolved. 4 The payment card industry is fighting back against criminal hackers. If your business accepts payment cards from customers and doesn t want to suffer the fate of the aforementioned payment processor read on about how to join the fight. What is PCI compliance? Payment card industry (PCI) data security standards (DSS) are a set of standards that the payment card industry and related organizations use to increase controls around cardholder data to reduce credit card fraud via its exposure. PCI 5 came about due to increasing incidents of fraud, which were often related to a similar rise in identity and credit card breaches. Ineffective government regulation compounded these problems, so the payment card industry developed PCI DSS to protect its business interests. Other industry standards All actors in the payment card industry must be aware of PCI DSS, but other sets of standards also apply to specific actors. Standard Payment Card Industry Data Security Standard (PCI DSS) Actors affected All companies that enter, transmit, process or store credit card data Payment Application Data Security Standard (PA DSS) PIN Transaction Security (PTS) All software vendors that build, sell and license application software that enters, transmits or stores credit card data All vendors of payment card transaction or PIN devices Scope of PCI DSS PCI is any system component or business process that stores, processes or transmits cardholder data. 1. Where data enters an organization 2. Where data is stored 3. What business processes data is used for 4. How data exits the organization White Paper: PCI DSS Compliance Page 2
5 To secure data at each of these stages, organizations need to take specific precautions dealing with: Network segmentation (firewalls/acls) Proper N-tier architecture (application/database servers) Physical control Business workflow/procedures PCI DSS is made up of 12 requirements grouped into 6 categories: Area Build & Maintain a Secure Network Requirement Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business needto-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor & Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for employees and contractors White Paper: PCI DSS Compliance Page 3
6 PCI myths and assumptions Even though credible, freely available sources clearly explain PCI DSS, certain misunderstandings about it continue to circulate. Here s a short selection. If I use a PCI Certified application, I am compliant with PCI If I use a PCI Certified Service Provider, I am compliance with PCI I don t process enough credit card transactions to require PCI Compliance We completed a SAQ so we re compliant If I don t store credit card data I don t have to be PCI compliant and the most dangerous myth: compliance vs. security Compliance can be considered one facet of security, but it does not guarantee the security of your data. PCI only focuses on the applications and IT infrastructure that affects credit card data. If your organization has other sensitive or high impact data, you need to secure it using other means. Who should be interested in PCI? Large or small, every merchant that accepts payment cards from its customers must at least be aware of PCI. PCI DSS standards specify the following merchant levels to qualify paymentcard-accepting merchants. (Level requirements are subject to periodic review and revision.) Depending on the level, merchants must meet specific requirements to attain PCI compliance status. Merchant Level Criteria Requirements Merchants that process 6 million or more credit card transactions per year Any merchant that suffered a hack or an attack resulting in an account data compromise A service provider than processes more than 300,000 credit card transactions per year Merchants that process 1 million or more credit transactions per year Service providers that process less the 300,000 transactions per year Annual on-site PCI Data Security Assessment by Qualified Security Assessor (QSA) Quarterly network scans by PCI Approved Scanning Vendor (ASV) 3 4 e-commerce merchants that process less than 1 million transactions per year Merchants that process less than 1 million transactions per year Annual self-assessment questionnaire by merchant Quarterly network scans by PCI Approved Scanning Vendor (ASV) White Paper: PCI DSS Compliance Page 4
7 PCI assessments Assessments of PCI compliance cover three main areas: Administrative Controls Policy & Procedures Technical Controls IT and Security Infrastructure Physical Security Implications and risks of non-compliance Non-compliance with PCI DSS can substantially raise the risk of data breaches and the consequences associated with them. Cost of data breaches CompliancePoint estimated the cost of data breaches at $354 US per record. That cost breaks down as follows: Cost Component Cost Discovery, Response, Notification $50 Employee Productivity Cost $30 Regulatory Fines $60 Restitution $30 Credit Card Replacement $35 Security and Audit Requirement $10 Opportunity Loss Customer $139 TOTAL/Record $354 Costs can be Staggering In a recent 2013 global study by The Ponemon Institute, the number of breached records per incident averaged between 2,300 and 99,000. US companies averaged 28,765 compromised records. With a cost of $354 per compromised record, costs can quickly escalate - especially for companies not focused on security compliance. 7 Other consequences of data breaches Other potential costs of data breaches include: Legal costs from civil litigation Significant chargeback risk Negative media coverage Loss of business Fines and increased transaction fees from credit card companies Loss of reputation and financial position Brand damage resulting from the loss of trust both inside and outside the organization White Paper: PCI DSS Compliance Page 5
8 Competitive advantages of being PCI compliant Running a PCI-compliant operation means that merchants can create greater trust among their current and prospective customers and business partners. Many companies today forego their own datacenters in favor of cloud service providers. To maintain your customers trust rooted in your PCI compliance, your cloud service providers must also be PCI compliant. If not, your company can t place any payment card data in your provider s servers without risking your own company s PCI-compliant status. Finding a PCI-compliant cloud services provider Looking for PCI-compliant providers? Look no further than the CIS Security Benchmarks Division ( Members of this community work together to create ever-more-secure computing environments. As explained on the Division s website: The Security Benchmarks division is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of this reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements. Peer 1 Hosting maintains facilities, administration practices and infrastructure that are designed to meet the stringent requirements of the PCI DSS 2.0 standard. We are also periodically audited by CompliancePoint, an independent third party. What you need to look for in a hosting provider If you re looking for a checklist for PCI DSS-compliant providers, we suggest you read Page 11 of the Information Supplement: PCI DSS Cloud Computing Guidelines written by the Cloud Special Interest Group for the PCI Security Standards Council. We ve reproduced their list of best practices here: 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data White Paper: PCI DSS Compliance Page 6
9 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel The authors go into greater detail on each best practice, and they recommend that customers as well as cloud service providers implement these best practices. Remember, businesses that use PCI-compliant cloud service providers must also keep their own operations PCI compliant. As we wrote on page 10, Peer 1 s membership in the CIS Security Benchmarks Division helps us stay compliant and implement best practices as they emerge. CompliancePoint serves as Peer 1 s qualified security assessor (QSA), the trusted advisor that works with Peer 1 to maintain PCI compliance. We value our partnership as much as our customers value the security of the payment card information entrusted to them. Additional hosting provider performance criteria Once you attain a fully compliant back-end solution with Peer 1 Hosting, you can enhance the performance of your application with CompliancePoint services like: PCI DSS Assessment PCI DSS Policy Development Vulnerability Scans Penetration Testing Security Awareness Training Compliance Monitoring and Management Program Compliance Automation Portal Conclusion and call-to-action Peer 1 Hosting provides a foundation to help you build a PCI-compliant infrastructure to secure your critical data. CompliancePoint helps make that environment happen, thanks to its full lifecycle approach to managing compliance. We reduce the cost and effort for our customers to become, and stay, PCI compliant. We save our customers money as they implement physical and technical controls. The Peer 1 Hosting environment is already audited, so we make the audits our customers face quicker and more efficient. We use the same compliance playbook. We are Peer 1 Hosting and CompliancePoint, the PCI-compliant partnership your business needs. To learn more about PCI DSS compliant hosted solutions: Call Peer 1 Hosting at Go to and chat with an online sales assistant To inquire about PCI DSS compliance services, call CompliancePoint at White Paper: PCI DSS Compliance Page 7
10 About CompliancePoint CompliancePoint is a leader in compliance and information risk management. CompliancePoint helps organizations safeguard information assets and ensure regulatory compliance by providing third party assessments and developing enterprise security policies and programs based on the accepted Information Security frameworks and the regulatory requirements of Payment Card Industry (PCI) DSS v2.0 & PCI PA-DSS, HIPAA/HITECH,ISO 27001, SSAE SOC2 and FISMA/NIST. CompliancePoint s three point approach for identifying compliance levels, assisting in the remediation of compliance issues and providing a program to more effectively manage compliance data, documents and activities, ensures organizations not only achieve compliance but are able to maintain it as well. White Paper: PCI DSS Compliance Page 8
11 Footnotes 1 html People commonly use PCI DSS and PCI interchangeably. 6 While a merchant might not technically qualify for Level 1, it may do business with another organization that demands it meet Level 1 requirements. In that case, the merchant may opt for Level 1 compliance in order to meet its customer s demand. 7 Source - Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis White Paper: PCI DSS Compliance Page 9
PCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationPayment Card Industry Data Security Standards.
Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationPCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz
PCI-DSS: A Step-by-Step Payment Card Security Approach Amy Mushahwar & Mason Weisz The PCI-DSS in a Nutshell It mandates security processes for handling, processing, storing and transmitting payment card
More informationProtecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh
Protecting Your Customers' Card Data Presented By: Oliver Pinson-Roxburgh Agenda Trustwave Overview PCI Scope Compromise Statistics PCI Makes Business Sense Registration Process TrustKeeper Features Support
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationProperty of CampusGuard. Compliance With The PCI DSS
Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know
More informationPAI Secure Program Guide
PAI Secure Program Guide A complete guide to understanding the Payment Card Industry Data Security Requirements and utilizing the PAI Secure Program. Letter From the CEO Welcome to PAI Secure. As you
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationPCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase
PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION Suresh Dadlani, ControlCase About Vietnam Google search 2 Population 86 Mn Urban Population 25 Mn, approx 30% -
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationPCI: The Dark Side. May 2012 Roanoke, VA
PCI: The Dark Side May 2012 Roanoke, VA Agenda The problem Who are they? Why? What do they steal? How do they do it? What can they do with it? How can you stop it? Ron King, Ed Ko, CampusGuard CampusGuard
More informationVaronis Systems & The Payment Card Industry Data Security Standard (PCI DSS)
CONTENTS OF THIS WHITE PAPER Overview... 1 Background... 1 Who Needs To Comply... 1 What Is Considered Sensitive Data... 2 What Are the Costs/Risks of Non-Compliance... 2 How Varonis Helps With PCI Compliance...
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationPayment Card Industry Data Security Standards Compliance
Payment Card Industry Data Security Standards Compliance Please turn off, or to vibrate, all cell-phones/electronics Expected course length: 1 Hour Questions are welcomed. Who Created It? & What Is It?
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationSecurityMetrics. PCI Starter Kit
SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service
More informationLa règlementation VisaCard, MasterCard PCI-DSS
La règlementation VisaCard, MasterCard PCI-DSS Conférence CLUSIF "LES RSSI FACE À L ÉVOLUTION DE LA RÉGLEMENTATION" 7 novembre 07 Serge Saghroune Overview of PCI DSS Payment Card Industry Data Security
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationHow To Become A Pca Compliant Organization
Compliance Management Merchant Guide 2012 Stay Clear Of Fraud Are You Concerned About Data Security Risks? Security is a duty. Companies should remember that they are being trusted by consumers with their
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationPCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.
PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationComplying with PCI is a necessary step in safely accepting Payment Cards.
What Every Director Needs to Know About Credit Cards & Patron Privacy Complying with PCI is a necessary step in safely accepting Payment Cards. Know the Risks! Some Interesting Facts: 94% of data breaches
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationPCI DSS Compliance & Security Awareness Program at UST
PCI DSS Compliance & Security Awareness Program at UST PCI DSS in a Nutshell Who? What? Where? When? Applicable to all UST employees that are exposed to any cardholder data while performing their job responsibilities
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationPCI DSS Presentation University of Cincinnati
PCI DSS Presentation University of Cincinnati Quick PCI Level Set Higher Ed Challenges Getting Compliant Application w/ customers Q& A PCI DSS Payment Card Industry Data Security Standard What is the PCI
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationPCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationAnd Take a Step on the IG Career Path
How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security
More informationPCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants
Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationPCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates
PCI-DSS Compliance Ron Dinwiddie Chief Technology Officer J. Spargo & Associates Agenda What is PCI Compliance Why is PCI Important How does this impact me? Becoming PCI Compliant JSA PCI Strategy Risk
More informationPCI Security Standards Council
PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI
More informationPAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL
PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL Session 1 Payment Card Industry (PCI) Security Standards Slide 1 Top 3 Largest Security Incidents Reported Worldwide = CREDIT CARDS Related *Source:
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI Overview. PCI-DSS: Payment Card Industry Data Security Standard
PCI-DSS: Payment Card Industry Data Security Standard Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationThe PCI DSS Compliance Guide For Small Business
PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationPCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com
PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information
More informationPCI Compliance : What does this mean for the Australian Market Place? Nov 2007
Sense of Security Pty Ltd (ABN 14 098 237 908) 306, 66 King St Sydney NSW 2000 Australia Tel: +61 (0)2 9290 4444 Fax: +61 (0)2 9290 4455 info@senseofsecurity.com.au PCI Compliance : What does this mean
More informationImportant Info for Youth Sports Associations
Important Info for Youth Sports Associations What the Heck is PCI DSS and Why Should I Care? Joe Posey Terrapin Financial Services Your Club is an ecommerce Business You accept online registration over
More informationPayment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS
The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,
More informationPayment Card Industry Data Security Standard (PCI DSS) v1.2
Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview
More informationHow To Comply With The Pci Ds.S.A.S
PCI Compliance and the Data Security Standards Introduction The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationRecent Developments in PCI DSS. PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2
Recent Developments in PCI DSS PCI in the Headlines Risks to Higher Education PCI DSS Version 1.2 1 2009 Breach Investigation Who did it? 74% external parties 20% insiders 32% implicated business partners
More informationPCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett
PCI (Payment Card Industry) Compliance For Healthcare Offices By Ron Barnett Dr. Svenson thought he was doing both his patients and his practice a big favor when he started setting up monthly payment arrangements
More informationInformation for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)
Postbank P.O.S. Transact GmbH (now EVO Kartenakzeptanz GmbH) has recently been purchased by EVO Payments International Group Program implementation details for merchants Payment Card Industry Data Security
More informationPCI Standards: A Banking Perspective
Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More information115 th Annual Convention
115 th Annual Convention Date: Saturday, October 12, 2013 Time: 11:00 am 12:00 pm Location: The Walt Disney World Swan and Dolphin Resort, Southern Hemisphere Salon 4-5 Title: Activity Type: Speaker: Data
More informationSimple & Secure Integrated Payment Processing from Element and Transformations
Simple & Secure Integrated Payment Processing from Element and Transformations Presented by: Chris Engelhardt Date: August 13 th, 2014 Questions We Will Cover How do you process your payments? Does your
More informationAccepting Payment Cards and ecommerce Payments
Policy V. 4.1.1 Responsible Official: Vice President for Finance and Treasurer Effective Date: September 29, 2010 Accepting Payment Cards and ecommerce Payments Policy Statement The University of Vermont
More informationSECURITY FIRST: CLARITY ON PCI COMPLIANCE
WHITE PAPER CLOUD HOSTING. SECURED. SECURITY FIRST: CLARITY ON PCI COMPLIANCE WWW.SERVERCHOICE.COM SECURITY FIRST: CLARITY ON PCI COMPLIANCE This Security First white paper provides an illustrated view
More informationAre You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010
Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010 atsec information security, 2010 About This Presentation About PCI assessment
More informationCredit Card Processing Overview
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationPayment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment
Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment Retail establishments have always been a favorite target of thieves and shoplifters, but today s worst criminals
More information