Walking the minefield of PCI DSS compliance May 2010
|
|
- Alicia Murphy
- 8 years ago
- Views:
Transcription
1 White paper Walking the minefield of PCI DSS compliance May 2010 In association with
2 White paper computing 2 A foreword by Neira Jones, Head of Payment Security at Barclaycard In the 1960s-70s, we had zip-zap machines. Two decades later, the first card acceptance terminals became mainstream. Now, not only do we have more sophisticated payment terminals - mobile or otherwise, attended or not we also have EPOS (Electronic Point of Sales) systems, online shops, payments enabled smart phones, and many derivations of all these. As card payments become available through a variety of channels and technologies, the challenges faced by retailers to secure their customer data increase. It is therefore not surprising that between 2000 and 2008 in the UK, Card Not Present (CNP) transactions rose by 400%, and CNP fraud rose by 350%. CNP fraud represents nearly 2 thirds of total UK card fraud. In Europe, Card Present merchants (brick and mortar businesses) are far less likely to be compromised than Card Not Present merchants. This is due to the successful introduction of Chip & PIN, upgrades to payment systems and adoption of standards over the past few years. It is no wonder therefore that card fraud has essentially migrated online. Whilst CNP fraud is still dominant and is projected to continue on this trend, it has for the first time since 2004 decreased in value. This is mainly due to the following factors: Increased use of fraud screening detection tools by retailers and banks Growth in the use of MasterCard SecureCode and Verified by Visa by both online retailers and cardholders Security awareness in the merchant community and drive for Payment Card Industry Data Security Standard (PCI DSS) compliance. Modern day criminals want our data: be it credit, financial, payment card or personal. There is a strong black market in each, and identity thieves are more inventive than ever. The annual cost of identity theft to the UK economy is estimated to be 1.2bn. Every year we share more of ourselves online - a trend that is set to continue as we spend more money on e-commerce sites. Each time we do this, we place our data and our faith in the security measures taken by the businesses that manage these e-commerce sites.
3 White paper computing 3 Exploiting vulnerabilities using techniques such as SQL injection is a method currently in favour with hackers and data thieves. SQL injection attacks exploit vulnerabilities at the web application layer to access sensitive data in back-end databases. These web-based attacks can pass undetected through firewalls and other perimeter defences, including intrusion detection and intrusion prevention systems, then hijack the application server to gain access to underlying database records. This threat is rising, and according to a data breach report published by the Verizon Business RISK team, 75% of all breached records came from compromised database servers, while other IT assets such as laptops and backup tapes accounted for less than 0.05% of compromised data. The PCI DSS has been introduced to help protect everyone against card fraud; to protect businesses and their customers card data. Every business is dependent on their customers trust. If e-commerce security is not high on their agenda, e- commerce retailers may lose more than they think. As a very first step in simplifying their PCI DSS compliance journey, Barclaycard advises retailers to always seek PCI DSS compliant service providers (e.g. payment gateways, processors, managed hosting providers, shopping carts). Executive summary In the online environment trust can be won or lost overnight. Customer data security must lie at the core of all online business. The Payment Card Industry Data Security Standard (PCI DSS) provides a global security standard for companies that accept card payments. Different levels of compliance are required according to the type and size of the company. PCI DSS compliance is not law. However, merchants that do not comply may be subject to fines and forensic audits should a security breach occur. For smaller businesses, this could put an end to trading. A company can achieve PCI DSS compliance if they are using a hosted infrastructure. However, the onus remains on the retailer to have compliant processes, as well as ensuring the hosting partner and its infrastructure has sufficient security levels.
4 White paper computing 4 The fragile bond of trust In the amped-up and accelerated online economy, etailers can grow from concept to global business in a handful of years and in the case of some social networks, that level of increase can be seen in months. Even in the recession, the twin drivers of such explosive growth online have been the availability of credit coupled with the secure exchange of private data. Etailers and customers need a bond of trust facilitated by robust security policies and supporting technology. Before e-commerce, most trusted brands built their reputations over decades of face-to-face dealings with the public, growing brand value through word of mouth, good service and consistent execution. Online, that degree of trust can be won or lost overnight, which means global standards are essential. Customer data security must lie at the core of all online business. However, many enterprises are unaware that responsibility for customer data security is theirs even if the infrastructure partners they use might be compliant with global standards. All personally identifiable data, such as account number, expiration date, name, address, and so on, that is stored, processed, or transmitted must be protected at every stage by the company. Securing such information is a challenge for most organisations: global brands can be undermined by a single security breach, while medium-sized traders may sell globally but have scant resources or in-house expertise to cover payment card security. For the smallest etailer, meanwhile, payment card security compliance can be a barrier to growth. In every case, the financial penalties for non-compliance can be ruinous. Who needs to be PCI DSS compliant? The Payment Card Industry Data Security Standard (PCI DSS) was established in 2004 by the Payment Card Industry Security Standards Council ( an alliance of card providers including American Express, Discover, JCB, MasterCard and Visa. The standard which was updated in 2006, and again in 2009 to cover wireless LANs applies to all organisations that hold, process, or pass cardholder information, including public sector bodies. If your company accepts payments via a card showing the AmEx, Discover, JCB, Mastercard or Visa logos, and stores, processes or transmits cardholder data then your business needs to be PCI DSS compliant. The foundations of the standard are simple to state, but the reality of monitoring and enforcing compliance can be more complex. Compliance is itself measured and monitored by Qualified Security Assessors (QSAs). A list of these is available through the Security Council.
5 White paper computing 5 Put simply, compliance requires constant vigilance: an organisation can become non-compliant in an instant, and even the use of big-name web services providers does not guarantee a compliant infrastructure, nor a compliant customer. For example, some web services platforms are not in themselves PCI DSS compliant, while in other cases a single instance of an application might be insecure and give rise to hacks, exploits and data breaches, however secure the transactional systems might themselves be. Basic PCI DSS requirements A more detailed list can be found at: The PCI Security Standards Council website Build and maintain a secure network: In practice, this means installation and maintenance of a robust firewall with security parameters customised to each organisation Protect stored cardholder data on a secure database, with encrypted transmission of that data when using open, public networks Maintain a vulnerability management programme: regularly update anti-virus and -malware software and maintain secure applications Maintain strong access control measures, restricting computer and physical access to cardholders' personal and transactional data, and assign a unique ID to each person with data access Monitor and test networks and security systems for vulnerabilities regularly, tracking and monitoring access to private data Maintain an information security policy. The latter point is significant. The early years of the 21st century have been littered with examples of lax data security at the weakest point of the security chain: vulnerable, fallible human beings. The trust implications of breaches in the public sector, for example, are still being felt today. This is because too many enterprises treat security as a technology problem requiring a technology solution. In fact, security technologies must (and can only) work in service of a watertight policy enforced throughout every tier of the organisation. The private sector is far from immune: in 2009, for example, hackers stole information from over 45 million payment cards used by customers of US retailer TJX, which owns budget fashion outlet TK Maxx in the UK. There have been dozens of other high-profile examples this century, including Network Solutions, which suffered an intrusion and data breach compromising more than 4,300 customer sites and 570,000 people's credit card information. Network Solutions was, and is, PCI compliant.
6 White paper computing 6 So it is clear that PCI DSS compliance is essentially only a blueprint for Web and organisational security, and that it is possible to be both compliant and insecure in terms of the risk from vulnerable exploits in new applications and even operating systems, for example, and from lax enforcement of security policies. Arguably, it is also possible to be secure and non-compliant in some respects. PCI DSS compliance is not law. However, merchants that do not comply may be subject to fines and forensic audits should a security breach occur. For smaller businesses, this could put an end to trading, and for all businesses, damage to a brand's local or global reputation can be equally catastrophic. The payment service provider may even refuse to authorise online payments until the company is compliant, cutting off a vital payment method. The punitive costs of non-compliance help enforce and drive up security standards across all organisations and make secure trading part and parcel of the competitive market online. The members of the Security Council may issue fines of between $5,000 and $100,000 per month for compliance violations fines that the banks will pass down the line to the companies responsible. Levels of compliance Some people have criticised the PCI DSS code for introducing tiers of organisation type and levels of compliance based around these. These are: Merchant Level One: Any merchant processing over six million e-commerce card transactions per annum, or any merchant deemed to be Level One by the Security Council Level Two: Any merchant processing one million to six million e-commerce card transactions per annum Level Three: Any merchant processing 20,000 to one million e-commerce transactions per annum Level Four: Any merchant processing fewer than 20,000 e-commerce card transactions per annum and any merchant that deals with fewer than one million point of sale (i.e. over the counter) sales per annum. Immediate compliance validation is required only for Level One to Three merchants and is optional for Level Four. This is controversial, given that there are far more retailers in this category than any other and 80% of payment card compromises in the past five years have hit Level Four enterprises. Arguably, it also creates a barrier to expansion for the smaller enterprise: growing beyond a certain number of transactions in any financial year has compliance implications, and potential penalties for failure.
7 White paper computing 7 However, if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required for all types of enterprise. Using the cloud to ensure compliance For many smaller to medium-sized enterprises, using a hosted or cloud-based infrastructure is an attractive option as it frees up the enterprise, and its hardpressed IT department, to operate more strategically and to scale up to meet spikes in demand without the concomitant spikes in capital expenditure. On the face of it, it may also seem attractive in terms of outsourcing compliance issues and even enforcement to whoever hosts the data centre. A company can achieve PCI DSS compliance if they are using a hosted infrastructure. While a hosting partner may offer compliant technology, an equally key ingredient from your partner is data protection and PCI DSS compliance expertise. However, the onus remains on your company to have compliant processes, as well as ensuring the hosting partner and its infrastructure has sufficient security levels. This is simply good practice in any supplier relationship: you are in the driving seat of the deal, trusting your provider to do what it is best at so you can concentrate on running your core business. Walking the minefield In a recent survey conducted by Barclaycard, two accredited QSAs said that as long as the merchant meets the criteria for the requirements then they can achieve compliance but both agreed that more guidelines were needed on this, and also accepted that people can gain compliance on a technicality. Another QSA said that whether or not a merchant achieves compliance depends on what level of compliance they are looking for, their main business function, and their plans if anything was to happen with the data on the hosted infrastructure. This suggests that the organisations tasked with monitoring compliance are not in full agreement on how compliance might best be achieved in a hosted environment. One thing is certain, however: etailers should make no assumptions about compliance when using hosted processing, data storage or web services. For example, Amazon's EC2/S3 web services technologies are at the core of many successful online retail operations, and a cloud supplier ecosystem has flourished around adding value to Amazon's offering for any company wanting to build an online presence. However, in 2009 an Amazon representative admitted on an AWS online forum that its EC2/S3 system was not inherently PCI Level 1 compliant (it is Level 2 compliant). Amazon advised users not to use its platform in isolation to store sensitive payment card data.
8 White paper computing 8 It should be explained that PCI compliance is no guarantee of safety and security, and neither does the lack of technical compliance automatically imply that a site is insecure. Amazon went on to explain that: Merchants regardless of their size are independently responsible for complying with PCI when they collect, process or store credit card information. When using a shared hosting service... where the merchant controls what credit card information touches the service, the merchant is responsible for using the services in a manner that permits them to be PCI compliant, such as the proper use of encryption and key management. In other words, you can rely on suppliers such as Amazon to provide the underlying technologies, but do not expect them to carry the can if your company is not PCI DSS compliant. It remains your responsibility. So if a merchant is using a data centre to provide their managed infrastructure to host customer card data, is it possible for the merchant to gain PCI compliance if their data centre provider has not already obtained compliance? In Barclaycard's survey, 50% of the QSAs surveyed said that they could not give a definite answer to whether the merchant would gain compliance if the data centre provider had not itself done so. It is a cloudy area which needs clarification, said one. A colleague has been dealing with an issue similar to this and it hasn t been easy to look into or get any guidance. The provider, I would presume, would need some level of compliance but to what degree I couldn t tell you. Technically, in the past, they could be compliant even if their data centre was not. But now it is probably best to ensure that the centre has the right levels needed otherwise they are liable if anything happens to the data. If it then turns out that the data was not safe in the first place then it risks causing disruption to the businesses and they could lose their [PCI DSS compliant] status. So PCI DSS compliance remains a controversial area where even the bodies charged with monitoring compliance are not in full agreement about the specifics of how best to implement and maintain it. The best approach is for merchants and etailers, whose responsibility compliance remains, to honour both the letter and spirit of PCI DSS and also see it as an opportunity to establish a world-class security position in the market rather than merely tick the boxes and provide a basic standard of security for customer data. After all, in the 21st century, secure customer data and loyalty are your business. Lose or compromise either, and your business will not survive.
9 White paper computing 9 About Barclaycard Barclaycard: innovation and responsibility Barclaycard is innovative - First to introduce credit cards in 1966 & contactless technology in Trusted brand with 10.4 million customers, and one in five credit cards in the UK in our portfolio. We continually invest in technology in order to remain ahead of our competitors and enhance our service to customers. We are a responsible lender, adapting and improving our products and services to help our customers. We help retailers acquire payments and help them meet their business objectives with easy to set up and cost-effective acquiring package. Leading the way in payment security: - PCI Security Standards Council Board of Advisors member - PCI SSC Participating Organisation - Dedicated Payment Security Team - Online resources - Publications We are a responsible business by treating our people, our local communities and the environment well. References Barclaycard payment security and PCI DSS Information Barclaycard white paper "processing online payments securely" Barclaycard s PCI DSS compliant payment gateway Payment Card Industry Security Standards Council Visa downloads and resources (where vulnerability guidance can also be found)
10 White paper computing 10 About the sponsor Star provides on-demand computing and communication services to UK businesses. Utilising an advanced cloud computing platform, the company has redefined how business people use and pay for the technology that supports them. Star s On-Demand Business Services TM are easy to use and pay for and are available any time and from anywhere, removing unnecessary costs for hardware, software and ongoing maintenance. Since 1995, when Star was founded, the company has been an internet technology innovator and pioneered the system for cloud-based spam and virus scanning for business that became MessageLabs. In the last 14 years Star has established itself as a leading IT and communications service provider of the highest pedigree looking after 3,500 UK business customers and their 500,000 users. Star has UK-based datacentres that sit within a network and communications capability that forms the basis of the Star Platform, from which a wide range of computing and communication services are delivered to customers. Star has more than 230 employees working from offices throughout the UK, providing the highest levels of customer service and support. Star s technology roadmap will deliver on-demand, cloud computing services to UK businesses who want immediate access to the latest enterprise technologies. For more information please go to Contact Star Telephone: Visit: info@star.net.uk
safe and sound processing online card payments securely
safe and sound processing online card payments securely Executive summary The following information and guidance is intended to provide key payment security advice to new or existing merchants who trade
More informationsafe and sound Processing online card payments securely leading the way in secure payments A white paper from Barclaycard PMS??? PMS??? PMS??? PMS???
BCD106002BROB1 24/09/2010 17:22 Page 1 C M Y K PMS??? PMS??? PMS??? PMS??? Non-printing Colours Non-print 1 Non-print 2 JOB LOCATION: PRINERGY 3 safe and sound Processing online card payments securely
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPCI Security Standards Council
PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI
More informationPAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW
PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW David Kittle Chief Information Officer Chris Ditmarsch Network & Security Administrator Smoker Friendly International / The Cigarette Store Corp
More information* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationQ: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?
Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain
More informationPROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN
PCI Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information
More informationThe PCI DSS Compliance Guide For Small Business
PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by
More informationWestpac Merchant. A guide to meeting the new Payment Card Industry Security Standards
Westpac Merchant A guide to meeting the new Payment Card Industry Security Standards Contents Introduction 01 What is PCIDSS? 02 Why does it concern you? 02 What benefits will you receive from PCIDSS?
More informationHow To Protect Visa Account Information
Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationPCI Compliance: How to ensure customer cardholder data is handled with care
PCI Compliance: How to ensure customer cardholder data is handled with care Choosing a safe payment process for your business Contents Contents 2 Executive Summary 3 PCI compliance and accreditation 4
More informationPCI DSS Investing wisely...
PCI DSS Investing wisely... Hotel webinar Neira Jones Head of Payment Security Barclaycard Global Payment Acceptance 25 th July 2011 Leading the way in secure payments global payment acceptance Hotel Security
More informationWHITE PAPER. PCI Basics: What it Takes to Be Compliant
WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through
More informationHow To Protect Your Credit Card Information From Being Stolen
Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)
More informationIt is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
PCI FAQ And MYTHS FREQUENTLY ASKED QUESTIONS (FAQ): Q: What is PCI? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process,
More informationPC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
More informationPayment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationMerchant guide to PCI DSS
Merchant guide to PCI DSS Contents What is PCI DSS and why was it introduced?... 3 Who needs to become PCI DSS compliant?... 3 BOIPA Simple PCI DSS - 3 step approach to helping businesses... 3 What does
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions Version 5.0 (April 2011) Contents Contents...2 Introduction...3 What are the 12 key requirements of
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card
More informationHow To Protect Your Business From A Hacker Attack
Payment Card Industry Data Security Standards The payment card industry data security standard PCI DSS Visa and MasterCard have developed the Payment Card Industry Data Security Standard or PCI DSS as
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationSecure Payments Forum
Secure Payments Forum April 2010 Welcome Nick Stacey The Royal College of Physicians Context m 700 600 500 400 300 200 Phone, Internet, Mail order Counterfeit (skimmed / cloned) Total 100 0 2005 2006 2007
More informationRegistration and PCI DSS compliance validation
Visa Europe A Guide for Third Party Agents Registration and PCI DSS compliance validation October 2015 Version 1.1 Visa Europe 2015 Contents 1 Introduction... 4 1.1 Definitions of Agents... 4 2 Registration
More informationWorldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)
Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.
More informationPCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv
PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv Security Challenges Desirability of Data 80% of all data breaches is payment card data (Verizon RISK team assessment)
More information1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education
PCI in Higher Education Walter Conway, QSA 403 Labs, LLC Walt Conway PCI consultant, blogger, trainer, speaker, author Former Visa VP Help schools become PCI compliant Represent Higher Education at PCI
More informationPCI Compliance : What does this mean for the Australian Market Place? Nov 2007
Sense of Security Pty Ltd (ABN 14 098 237 908) 306, 66 King St Sydney NSW 2000 Australia Tel: +61 (0)2 9290 4444 Fax: +61 (0)2 9290 4455 info@senseofsecurity.com.au PCI Compliance : What does this mean
More informationWhitepaper. PCI Compliance: Protect Your Business from Data Breach
Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationPCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH
PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH How do I -know if I m compliant? -what do I do to become compliant? -how do I know if the fee(s) I
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More informationCal Poly PCI DSS Compliance Training and Information. Information Security http://security.calpoly.edu 1
Cal Poly PCI DSS Compliance Training and Information Information Security http://security.calpoly.edu 1 Training Objectives Understanding PCI DSS What is it? How to comply with requirements Appropriate
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI DSS COMPLIANCE DATA
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationAchieving PCI DSS Compliance Through Outsourcing: Where to begin?
Achieving PCI DSS Compliance Through Outsourcing: Where to begin? August 2014 Can you achieve PCI DSS compliance through outsourcing, and if so, how should you approach it? This whitepaper provides a brief
More informationPreventing. Payment Card Fraud. Is your business protected?
BY TROY HAWES Preventing Payment Card Fraud Is your business protected? AT A GLANCE + The theft of credit card payment data by hackers is not limited to large corporations. + Many smaller companies fall
More informationSecurityMetrics Introduction to PCI Compliance
SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples
More informationDon Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer
Complying with the PCI DSS All the Moving Parts Don Roeber Vice President, PCI Compliance Manager Lisa Tedeschi Assistant Vice President, Compliance Officer Types of Risk Operational Risk Normal fraud
More informationVISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)
VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS) Q1: What is the purpose of the AIS programme? Q2: What exactly is the Payment Card Industry (PCI) Data Security
More informationAnd Take a Step on the IG Career Path
How to Develop a PCI Compliance Program And Take a Step on the IG Career Path Andrew Altepeter Any organization that processes customer payment cards must comply with the Payment Card Industry s Data Security
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPayment Card Industry - Achieving PCI Compliance Steps Steps
CUR RITY SE Data Security Requirements for K-12 January 28, 2010 Payment Card Industry (PCI) SE CUR RITY 1 Welcome To Join The Voice Conference Dial 866-939-3921 Technical issues press 0 Q & A We ll leave
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationPCI DSS Compliance White Paper
PCI DSS Compliance White Paper 2012 Edition Copyright 2012, NetClarity, Inc. All rights reserved worldwide. Patents issued and pending. PCI DSS Compliance White Paper NetClarity, Inc. Page 1 Welcome to
More informationAchieving Compliance with the PCI Data Security Standard
Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationProtecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance
Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.
More informationYour Compliance Classification Level and What it Means
General Information What are the Payment Card Industry (PCI) Data Security Standards? The PCI Data Security Standards represents a common set of industry tools and measurements to help ensure the safe
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationPCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationPCI Security Compliance
E N T E R P R I S E Enterprise Security Solutions PCI Security Compliance : What PCI security means for your business The Facts Comodo HackerGuardian TM PCI and the Online Merchant Overview The Payment
More informationPCI DSS. CollectorSolutions, Incorporated
PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted
More informationThird Party Agent Registration and PCI DSS Compliance Validation Guide
Visa Europe Third Party Agent Registration and PCI DSS Compliance Validation Guide May 2016 Version 1.3 Visa Europe 2015 Contents 1 Introduction... 4 1.1 Definitions of Agents... 4 2 Registration Process...
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationSafe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015
Safe and Sound Processing Telephone Payments Securely A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015 Executive summary The following information and guidance
More informationPayment Card Industry Data Security Standards.
Payment Card Industry Data Security Standards. Your guide to protecting cardholder data Helping you manage the risk. Credit Card fraud and data compromises are an increasingly serious problem, costing
More informationWhat Every Business Should Know About PCI Compliance
What Every Business Should Know About PCI Compliance www.bullseyetelecom.com As technology advances, identity thieves are also finding easier ways to steal vital information such as credit card data. Businesses
More informationSecuring The Data. Payment System Forum Bank Negara Malaysia. 27 th November 2014. Murugesh Krishnan Head of Risk, South & Southeast Asia
Securing The Data Payment System Forum Bank Negara Malaysia 27 th November 2014 Murugesh Krishnan Head of Risk, South & Southeast Asia Disclaimer Case studies, statistics, research and recommendations
More informationTokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism
Tokenization Amplified XiIntercept The ultimate PCI DSS cost & scope reduction mechanism Paymetric White Paper Tokenization Amplified XiIntercept 2 Table of Contents Executive Summary 3 PCI DSS 3 The PCI
More informationPCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants
Appendix 2 PCI DSS Payment Card Industry Data Security Standard Merchant compliance guidelines for level 4 merchants CONTENTS 1. What is PCI DSS? 2. Why become compliant? 3. What are the requirements?
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationInformation Security Services. Achieving PCI compliance with Dell SecureWorks security services
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
More informationVaronis Systems & The Payment Card Industry Data Security Standard (PCI DSS)
CONTENTS OF THIS WHITE PAPER Overview... 1 Background... 1 Who Needs To Comply... 1 What Is Considered Sensitive Data... 2 What Are the Costs/Risks of Non-Compliance... 2 How Varonis Helps With PCI Compliance...
More informationP R O G R E S S I V E S O L U T I O N S
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
More informationNet Report s PCI DSS Version 1.1 Compliance Suite
Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are
More informationCustomer Card Data Security and You
Customer Card Data Security and You 01 What Is Global Fortress? Global Fortress is designed as a first line defence to provide you with the resources to help you in your fight against fraudsters. It simplifies
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationIS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper
IS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper A data breach has the potential to cost retailers millions in lost customers and sales. In this paper we discuss a number of possible
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationPayment Card Industry Compliance Overview
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
More informationDATA SECURITY. Payment Card Industry (PCI) Compliance Steps for Organizations May 26, 2010. 2010 Merit Member Conference
2010 Merit Member Conference Compliance Steps for Organizations May 26, 2010 Payment Card Industry (PCI) 1 Welcome 2 Welcome Q & A We ll leave time to address questions during the last 15 minutes of the
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationPayment Security Account Data Compromise (ADC)
Payment Security Account Data Compromise (ADC) 10 th July 2014 Michael Christodoulides & Louise Hunt All information correct at time of presentation Introductions Barclaycard has become increasingly aware
More informationPCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E
PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationWhite Paper On. PCI DSS Compliance And Voice Recording Implications
White Paper On PCI DSS Compliance And Voice Recording Implications PCI DSS within the UK is becoming a hot topic of conversation, with many contradictions and confusions being issued by suppliers and professionals
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationAdyen PCI DSS 3.0 Compliance Guide
Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants
More informationIntroduction to PCI DSS
Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?
More informationSecurity Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments
Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationPayment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions
PCI/PA-DSS FAQs Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions What is PCI DSS? The Payment Card Industry Data
More informationPCI DSS: An Evolving Standard
White Paper PCI DSS: An Evolving Standard PCI 3.0 and 3.1 Key Requirements Explained 2015 SecurityMetrics PCI DSS: An Evolving Standard 2 PCI DSS An Evolving Standard The Payment Card Industry Data Security
More informationPCI DSS Compliance Services January 2016
PCI DSS Compliance Services January 2016 20160104-Galitt-PCI DSS Compliance Services.pptx Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 2 Introduction
More informationPayment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationProtect Data. Secure Business.
Achieve Payment Card Industry Data Standard Security (PCI DSS) compliance today, while advancing your network for the technology of tomorrow. Protect Data. Secure Business. Building Your Business With
More information