Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015
|
|
- Edwin Long
- 8 years ago
- Views:
Transcription
1 Top PCI 3.0 Challenges for Chain Merchants March 11, 2015
2 Webinar Program Wednesday, March 11, 2015 Presentations 3PM 3:45PM Eastern Questions & Answers 3:45PM 4:00PM Eastern Agenda Cybercrime PCI DSS 3.0 Cyber Risk Management Rick Dakin, CEO and Chief Security Strategist Coalfire Reaching Continuous Compliance Implementing Data Security Shekar Swamy, President and Senior Security Strategist - Omega ATC
3 Cybercrime PCI DSS 3.0 Cyber Risk Management Rick Dakin, CEO and Chief Security Strategist
4 Reaching Continuous Compliance Implementing Data Security Shekar Swamy, President and Senior Security Strategist
5 Evolving Risk Landscape New Attack Surfaces New Attack Vectors More Active Nation States
6 A wake-up call the cyber threat is increasing
7 Lessons Learned PROFILE OF LARGE U.S. MERCHANT BREACHES Based on forensic reports from a sample of 11 large U.S. merchants that experienced a data breach: 9 had privileged credentials compromised 9 had sysadmin IDs exploited 8 had weak application security testing 8 did not have adequate monitoring 6 had malware installed on POS systems 6 had weak segmentation between corporate and cardholder data environment 5 had completed PCI DSS validation prior to the breach 2 had a weak audit function Examples of Issues Leading to Compromise of Privileged Credentials Security staff using infected USB stick Citadel Trojan Root compromise through vendor Domain IDs had simple passwords with no expiration, no history and high number of lockout attempts Contractor with infected machine Default POS admin IDs and passwords Open web server console Weak domain password in development Compromised PC belonging to administrator
8 New VISA Guidance to Retailers Risk Management VISA Strategy Enhance network security Control administrative accounts Harden POS platforms Secure web accessible applications Mitigate 3 rd Party Risk Deploy more secure applications o EMV o Encryption o Tokenization 8
9 Industry Awareness VISA Enforcement Enhanced, globally-consistent PCI DSS validation Fines for organizations (merchants, service providers, issuers, processers, etc.) o Overdue PCI DSS validation/never validated o AND have not submitted a Remediation plan Enforcement began Jan 1, 2015
10 Version 2.0 to 3.0 Changes
11 Get Ready for PCI DSS 3.0 PCI DSS v3.0 became effective on January 1 st 2015 with the following impact: Scope definition is more precise and documented Systems and cardholder data inventories are more thorough Network diagrams with data flows require more documentation Sample size definition becomes more stringent Evidence management forces enhanced testing Enhanced 3 rd Party oversight and more details on PA-DSS validation Business as Usual -> Enhanced Risk Assessment READ: PCI DSS validation is getting harder with more enforcement
12 PCI DSS 3.0 Drivers for Change Lack of education and awareness Weak passwords and authentication Third Party security challenges Slow self-detection of breach or malware Inconsistency in assessment
13 PCI DSS 3.0 Goals The PCI SSC is pushing the concept of ongoing or continuous compliance management. Monitoring of security controls Detect and respond to failures in security controls Review all changes to the environment Organization structure changes Periodic reviews Annual hardware/software review American Technology Corporation omegasecure.com 13
14 Changes to Penetration Testing Methodology Document a methodology that can be used to prove CDE boundaries are secured Pen test must demonstrate that all CDE boundaries are secured as expected
15 Card Data Flows Full dataflow diagrams now required Confidence on internal and external CDE boundaries
16 Expanded Documentation Requirements Specific requirements for each control family Responsible personnel must be trained on the CDE policies and procedures Documentation needs to be readily available
17 New SAQ Validation Types SAQ Validation Type Description # of Questions v3.0 Change # from v2.1 ASV Scan Required v3.0 Penetration Test Required V3.0 A A-EP B B-IP C Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage Merchants with standalone, IP-connected payment terminals: No e- commerce or electronic cardholder data storage Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage No No 139 NEW Yes Yes No No 83 NEW Yes No Yes Yes C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage No No D-MER All other SAQ-eligible merchants Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e- commerce or electronic cardholder data storage No No
18 PCI DSS 3.0 Phased Requirements 2015 These requirements are considered best practices only until June 30, 2015 at which time they become mandatory for all 3.0 assessments. Requirement Broken authentication and session management. Requirement New requirement for service providers to use different authentication credentials for access into different customer environments. Requirement(s) 9.9.x New (merchant) requirements to protect point-of-sale devices that capture payment card data from tampering or unauthorized modification or substitution.
19 PCI DSS 3.0 More Phased Requirements 2015 Remember to start implementing processes for these phased requirements now. Many of them will take several months of planning, testing and training to implement properly. Don t wait until next June! Requirement 11.3.X Expanded requirements/expectations for penetration testing controls. PCI DSS v2.0 requirements for penetration testing may be followed until July Requirement 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data.
20 Beyond Compliance Cyber Risk Management
21 Compliance does not equal security Compliance Conforming to a set of rules or standards. Generally confirmed by an assessor providing an opinion based on: 1. Observation 2. Inquiry 3. Inspection 4. Walk-throughs Security Implementing Technical, Physical, and Administrative controls to provide 1. Confidentiality 2. Integrity 3. Availability
22 Cyber Risk is Now a Matter of Corporate Governance 1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
23 Accountability is the Key to Effective Cyber Risk Management
24 Effective Cyber Risk Management Must Be Comprehensive Cyber Risk Cycle
25 Impact on 2014 Assessment Changing from check box compliance testing to cyber risk management 1. Test new technologies Virtualization Scope, samples sizes, virtual appliances, access Cloud data ownership, 3 rd party reliability and compliance, incident response, the right Trust Principles in SOC 1 & 2 Mobile Platform security, application security, communication security 2. Integrate more security testing Pen Testing the ultimate truth teller Forensic why not pretend you are under attack periodically? 3. Include Process Testing Incident response drills make it real! Then, measure results. Datacenter to boardroom dialogue How will the organization reduce risk? Reduce attack surface? Increase controls? Improve monitoring? 3rd Party risk management did they just sign the vendor agreement or are they protecting your critical systems and sensitive data?
26 Preparation Prevention Maintenance Remediation Recovery Data security cannot be implemented overnight Make data security a part of your company culture Understand how to stay organized in your data security activities
27 Preparation for PCI DSS Make sure that anything you have in place is indeed working and up-to-date 2. Minimize or remove cardholder data (CD) from all systems 3. Examine information security policies pertaining to stores and verify they are followed 4. Create an Incident Response Plan
28 Preparation Implementing PCI DSS Focus on cardholder data environment Segmentation Processes manual, settlements, charge backs Third party service providers Diagrams and flow Inventory of systems and applications in CDE 2. Create inventory of all hardware and software Network equipment payment applications Security infrastructure Server and storage infrastructure Authentication infrastructure Management applications
29 Prevention 1. External and internal scanning 2. Secure encrypted remote control 2 FA 3. Patch management regularly done and tracked 4. Endpoint Security centralized logging is required 5. Network Segmentation limits scope and reduces risk 6. No cardholder data retained in the clear validation required 7. Wireless intrusion detection and prevention 8. Logging of patches, events, activity, remote control, firewall, file integrity monitoring and wireless intrusion prevention 9. All logs must be centrally retained for 1 year 10. Event logs need to generate security alerts
30 Maintenance 1. Inspect POS systems regularly for any evidence of tampering 2. Conduct periodic reviews of DSS requirements to be sure they operate as designed 3. Monitor security controls to ensure effective operation 4. Maintain inventory of all hardware and software 5. Test your incident response plan annually 6. Event logs must be regularly analyzed in order to generate security alerts
31 Remediation 1. Fix the vulnerabilities identified by external and internal scans 2. Examine firewall router logs 3. Apply patches, fixes, workarounds and changes to unsafe processes and workflow 4. Re-scan to verify that remediation actually occurred
32 Recovery 1. Execute the Incidence Response Plan 2. Contact law enforcement, legal, and customers 3. Conduct investigation to find out which areas of environment have been compromised 4. Inform acquiring banks, customers, QSA firm, etc.
33 Recovery 1. The best data security can still be vulnerable to breaches 2. Event logging makes the forensic investigation faster and less expensive in the event of a breach 3. Security alerts allow the retailer to inform customers of breaches, rather than customers finding out the hard way 4. As always, all data should be backed up
34 The Customer loves c-stores more than ever. 83.7% of motor fuel purchases in America are made at convenience stores. 3 to 4 minutes is the average time for a customer to walk in, purchase an item, and depart. $32 BB spent annually on food items from convenience stores alone. 1,100 customers per day walk into a single C-store that sells petroleum on average.
35 The Customer uses their credit cards for most purchases. Customers want to feel secure when they give you their credit card Convenience stores are highly sought after and trusted by consumers of all ages Convenience is what they want - fast, efficient and friendly They don t even think when they give you the card for a transaction You have their trust - they expect you to protect it
36
37
38 Think of data security today: from the Inside of Enterprise - to the Perimeter. There needs to be an information-based and activitybased data strategy The enterprise has to be secured from the inside-out Cloud-based storage makes securing data more difficult It is harder to know where sensitive information is actually being stored at a given time
39 Data security realities in Cyber risk is a matter of corporate governance 2. PCI DSS 3.0 is about continuous compliance 3. Penetration testing must demonstrate that CDE boundaries are secured as expected. 4. Service Providers must be certified compliant. 5. Even small merchants may need to be validated for compliance. 6. Centralized data security management is essential. 7. Data security needs to be from the Inside-Out.
40 Questions? Type your questions in the chat box. Rick Dakin and Shekar Swamy will address them.
41 Thank You Rick Dakin CEO and Chief Security Strategist Office: x7001 coalfire.com Shekar Swamy President and Sr. Security Strategist Office: x2450 omegasecure.com American Technology Corporation omegasecure.com 41
42 Coalfire Systems, Inc. coalfire.com Omega ATC omegasecure.com Leading independent provider of IT Governance, Risk and Compliance (IT-GRC) management services Focused expertise in Healthcare (HIPAA), Retail (PCI), Banking (GLBA), Utilities (NERC) and Cloud (FedRAMP) Full suite of IT GRC solutions: compliance audit, risk and vulnerability assessment, application security, penetration testing and forensic analysis Served over [1,300] clients to date, including Oracle, TSYS, Epic, IBM, Ford, Nordstrom, EchoStar, Microsoft, Intuit, Overstock Over [250] employees and contractors across [11] offices: UK, Boston, Denver, Seattle, New York, Atlanta, Los Angeles, San Francisco, San Diego, Washington DC and Dallas PCI DSS 3.0 Certified Compliant Managed Security Services Provider (MSSP) Serving customers nationally in the convenience store, quick service restaurant, petroleum market and specialty retail spaces 24-year history of performance helping customers simplify and manage retail systems Clients include Fortune 500 corporations to small familyowned businesses Omega systems and services widely used in the market Rapid deployment process, focus on systems management, data security and helping customers achieve compliance Member of NACS, Conexxus, NRF and SIGMA
PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.
PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
More informationPCI Compliance 3.1. About Us
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
More informationPCI Risks and Compliance Considerations
PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationPCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session
More informationPayment Security Update
Payment Security Update Rick Dakin, CEO & Cofounder October 2, 2014 Agenda Coalfire Introduction Changing Environment Threats Technology Compliance Mobile Security Recent Data Breaches Risk Management
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationNew PCI Standards Enhance Security of Cardholder Data
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationMITIGATING LARGE MERCHANT DATA BREACHES
MITIGATING LARGE MERCHANT DATA BREACHES Tia D. Ilori Ed Verdurmen January 2014 1 DISCLAIMER The information or recommendations contained herein are provided "AS IS" and intended for informational purposes
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
More informationPCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard
PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance
More informationWhat does it mean to be secure?
OmegaSecure.com What does it mean to be secure? Shekar Swamy, President Omega ATC What is Data Security? Data security is the means of ensuring that data is kept safe from corruption and access to it is
More informationNorth Carolina Office of the State Controller Technology Meeting
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
More informationPCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
More informationPCI DSS 3.0 and You Are You Ready?
PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes
More informationNACS/PCATS WeCare Data Security Program Overview
NACS/PCATS WeCare Data Security Program Overview March 27, 2012 Abstract This document describes the WeCare Program, discusses common data security threats, outlines an 8-point plan to improve data security,
More informationPCI It Never Ends! Shekar Swamy, President Omega ATC. Denise Lewis, Pinnacle POS Product Manager. omegasecure.com
PCI It Never Ends! Shekar Swamy, President Omega ATC Denise Lewis, Pinnacle POS Product Manager Palm POS PCI Status Pinnacle Palm POS is PCI compliant! Palm POS continues to evolve with the PCI DSS: -
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
More informationWhy Is Compliance with PCI DSS Important?
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
More informationPCI Compliance in Multi-Site Retail Environments
TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help
More informationTrend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard
Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationThe State of Security and Compliance for E- Commerce and Retail
The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against
More informationPCI DSS Overview. By Kishor Vaswani CEO, ControlCase
PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key
More informationPCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationA Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
More informationPCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com
PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in
More informationPCI Compliance Overview
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationData Security for the Hospitality
M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug
More informationPCI: It Never Ends. Why?
PCI: It Never Ends. Why? How to stay prepared? Shekar Swamy American Technology Corporation St. Louis, MO January 13, 2011 PCI compliance basics It s all about Data Security 12 major areas of compliance
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University
PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University Session Etiquette Please turn off all cell phones. Please keep side conversations to a minimum. If you must
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationSECURITY FIRST: CLARITY ON PCI COMPLIANCE
WHITE PAPER CLOUD HOSTING. SECURED. SECURITY FIRST: CLARITY ON PCI COMPLIANCE WWW.SERVERCHOICE.COM SECURITY FIRST: CLARITY ON PCI COMPLIANCE This Security First white paper provides an illustrated view
More informationContinuous compliance through good governance
PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council
More informationAdministrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
More informationThis appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected
This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.
More informationPCI Compliance. Top 10 Questions & Answers
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
More informationPCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP
PCI Overview Lee Buttke Director of Consulting QSA, CPISM, CISSP About NetSPI Security and compliance consulting solutions for highly regulated markets QSA, PA-QSA, and ASV Higher Education and Retail/Payment
More informationPayment Card Industry Data Security Standard
Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help
More informationPCI DSS v3.0 SAQ Eligibility
http://www.ambersail.com Disclaimer: The information in this document is provided "as is" without warranties of any kind, either express or implied, including, without limitation, implied warranties of
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
More informationTechnology Innovation Programme
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
More informationPCI Security Standards Council
PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationPayment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.
Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationCyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance
Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name
More informationEncryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013
Encryption and Tokenization: Protecting Customer Data Your Payments Universally Amplified Tia D. Ilori Sue Zloth September 18, 2013 Agenda Global Threat Landscape Real Cost of a Data Breach Evolution of
More informationPCI DSS Compliance. 2015 Information Pack for Merchants
PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends
More informationHow Secure is Your Payment Card Data?
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
More informationHOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationAn article on PCI Compliance for the Not-For-Profit Sector
Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector
More informationSection 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationMasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.
MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded
More informationPCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
More informationHow to Sell PCI 3.1 to Your Merchants. Matt Brown, Director of Business Development
How to Sell PCI 3.1 to Your Merchants Matt Brown, Director of Business Development MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members
More informationCustomer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics
Customer PCI 3.0 Changes = New Opportunity For You Giles Witherspoon-Boyd SecurityMetrics Who is this guy? Giles Witherspoon-Boyd, PCIP 15 years in technology, 4 years at SecurityMetrics SecurityMetrics
More informationSo you want to take Credit Cards!
So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationCredit Card Processing, Point of Sale, ecommerce
Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationPCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com
PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information
More informationData Security Basics for Small Merchants
Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationThoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director
Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Agenda 1 2 3 Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines
More informationPCI v2.0 Compliance for Wireless LAN
PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki
More informationPCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationFrequently Asked Questions
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More information2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock
2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationVendor 1 QUESTION CCSF RESPONSE
Vendor 1 QUESTION 1 If we have already filled out the vendor profile application, business tax declaration and local business forms will we need to fill them out again? 2 Is CCSF open to rolling up all
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationCredit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
More informationHow To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationPCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.
PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationPreparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013
Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition November 2013 Introductions Brian Serra PCI Practice Director Nick Puetz Managing Director - Strategic Services 2013 FishNet Security Inc. All
More informationHow SafenSoft TPSecure can help. Compliance
How SafenSoft TPSecure can help with PCI DSS Compliance June 2011 Tel: 1-866-846-6779 Fax: 1-408 273 Executive Summary In an era of increasingly sophisticated attacks on systems, it is vital that any business
More informationPayment Card Industry Compliance Overview
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
More informationPAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES
PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES AGENDA PCI Players and Roles Merchant Requirements Keys To Successful PCI
More informationVoltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review
Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More informationCyber - Security and Investigations. Ingrid Beierly August 18, 2008
Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities
More information