Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015

Size: px
Start display at page:

Download "Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015"

Transcription

1 Top PCI 3.0 Challenges for Chain Merchants March 11, 2015

2 Webinar Program Wednesday, March 11, 2015 Presentations 3PM 3:45PM Eastern Questions & Answers 3:45PM 4:00PM Eastern Agenda Cybercrime PCI DSS 3.0 Cyber Risk Management Rick Dakin, CEO and Chief Security Strategist Coalfire Reaching Continuous Compliance Implementing Data Security Shekar Swamy, President and Senior Security Strategist - Omega ATC

3 Cybercrime PCI DSS 3.0 Cyber Risk Management Rick Dakin, CEO and Chief Security Strategist

4 Reaching Continuous Compliance Implementing Data Security Shekar Swamy, President and Senior Security Strategist

5 Evolving Risk Landscape New Attack Surfaces New Attack Vectors More Active Nation States

6 A wake-up call the cyber threat is increasing

7 Lessons Learned PROFILE OF LARGE U.S. MERCHANT BREACHES Based on forensic reports from a sample of 11 large U.S. merchants that experienced a data breach: 9 had privileged credentials compromised 9 had sysadmin IDs exploited 8 had weak application security testing 8 did not have adequate monitoring 6 had malware installed on POS systems 6 had weak segmentation between corporate and cardholder data environment 5 had completed PCI DSS validation prior to the breach 2 had a weak audit function Examples of Issues Leading to Compromise of Privileged Credentials Security staff using infected USB stick Citadel Trojan Root compromise through vendor Domain IDs had simple passwords with no expiration, no history and high number of lockout attempts Contractor with infected machine Default POS admin IDs and passwords Open web server console Weak domain password in development Compromised PC belonging to administrator

8 New VISA Guidance to Retailers Risk Management VISA Strategy Enhance network security Control administrative accounts Harden POS platforms Secure web accessible applications Mitigate 3 rd Party Risk Deploy more secure applications o EMV o Encryption o Tokenization 8

9 Industry Awareness VISA Enforcement Enhanced, globally-consistent PCI DSS validation Fines for organizations (merchants, service providers, issuers, processers, etc.) o Overdue PCI DSS validation/never validated o AND have not submitted a Remediation plan Enforcement began Jan 1, 2015

10 Version 2.0 to 3.0 Changes

11 Get Ready for PCI DSS 3.0 PCI DSS v3.0 became effective on January 1 st 2015 with the following impact: Scope definition is more precise and documented Systems and cardholder data inventories are more thorough Network diagrams with data flows require more documentation Sample size definition becomes more stringent Evidence management forces enhanced testing Enhanced 3 rd Party oversight and more details on PA-DSS validation Business as Usual -> Enhanced Risk Assessment READ: PCI DSS validation is getting harder with more enforcement

12 PCI DSS 3.0 Drivers for Change Lack of education and awareness Weak passwords and authentication Third Party security challenges Slow self-detection of breach or malware Inconsistency in assessment

13 PCI DSS 3.0 Goals The PCI SSC is pushing the concept of ongoing or continuous compliance management. Monitoring of security controls Detect and respond to failures in security controls Review all changes to the environment Organization structure changes Periodic reviews Annual hardware/software review American Technology Corporation omegasecure.com 13

14 Changes to Penetration Testing Methodology Document a methodology that can be used to prove CDE boundaries are secured Pen test must demonstrate that all CDE boundaries are secured as expected

15 Card Data Flows Full dataflow diagrams now required Confidence on internal and external CDE boundaries

16 Expanded Documentation Requirements Specific requirements for each control family Responsible personnel must be trained on the CDE policies and procedures Documentation needs to be readily available

17 New SAQ Validation Types SAQ Validation Type Description # of Questions v3.0 Change # from v2.1 ASV Scan Required v3.0 Penetration Test Required V3.0 A A-EP B B-IP C Card-not-present merchants: All payment processing functions fully outsourced, no electronic cardholder data storage E-commerce merchants re-directing to a third-party website for payment processing, no electronic cardholder data storage Merchants with only imprint machines or only standalone dial-out payment terminals: No e-commerce or electronic cardholder data storage Merchants with standalone, IP-connected payment terminals: No e- commerce or electronic cardholder data storage Merchants with payment application systems connected to the Internet: No e-commerce or electronic cardholder data storage No No 139 NEW Yes Yes No No 83 NEW Yes No Yes Yes C-VT Merchants with web-based virtual payment terminals: No e-commerce or electronic cardholder data storage No No D-MER All other SAQ-eligible merchants Yes Yes D-SP SAQ-eligible service providers 347 NEW Yes Yes P2PE Hardware payment terminals in a validated PCI P2PE solution only: No e- commerce or electronic cardholder data storage No No

18 PCI DSS 3.0 Phased Requirements 2015 These requirements are considered best practices only until June 30, 2015 at which time they become mandatory for all 3.0 assessments. Requirement Broken authentication and session management. Requirement New requirement for service providers to use different authentication credentials for access into different customer environments. Requirement(s) 9.9.x New (merchant) requirements to protect point-of-sale devices that capture payment card data from tampering or unauthorized modification or substitution.

19 PCI DSS 3.0 More Phased Requirements 2015 Remember to start implementing processes for these phased requirements now. Many of them will take several months of planning, testing and training to implement properly. Don t wait until next June! Requirement 11.3.X Expanded requirements/expectations for penetration testing controls. PCI DSS v2.0 requirements for penetration testing may be followed until July Requirement 12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data.

20 Beyond Compliance Cyber Risk Management

21 Compliance does not equal security Compliance Conforming to a set of rules or standards. Generally confirmed by an assessor providing an opinion based on: 1. Observation 2. Inquiry 3. Inspection 4. Walk-throughs Security Implementing Technical, Physical, and Administrative controls to provide 1. Confidentiality 2. Integrity 3. Availability

22 Cyber Risk is Now a Matter of Corporate Governance 1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. 2. Directors should understand the legal implications of cyber risks as they relate to their company s specific circumstances. 3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. 4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. 5. Board management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

23 Accountability is the Key to Effective Cyber Risk Management

24 Effective Cyber Risk Management Must Be Comprehensive Cyber Risk Cycle

25 Impact on 2014 Assessment Changing from check box compliance testing to cyber risk management 1. Test new technologies Virtualization Scope, samples sizes, virtual appliances, access Cloud data ownership, 3 rd party reliability and compliance, incident response, the right Trust Principles in SOC 1 & 2 Mobile Platform security, application security, communication security 2. Integrate more security testing Pen Testing the ultimate truth teller Forensic why not pretend you are under attack periodically? 3. Include Process Testing Incident response drills make it real! Then, measure results. Datacenter to boardroom dialogue How will the organization reduce risk? Reduce attack surface? Increase controls? Improve monitoring? 3rd Party risk management did they just sign the vendor agreement or are they protecting your critical systems and sensitive data?

26 Preparation Prevention Maintenance Remediation Recovery Data security cannot be implemented overnight Make data security a part of your company culture Understand how to stay organized in your data security activities

27 Preparation for PCI DSS Make sure that anything you have in place is indeed working and up-to-date 2. Minimize or remove cardholder data (CD) from all systems 3. Examine information security policies pertaining to stores and verify they are followed 4. Create an Incident Response Plan

28 Preparation Implementing PCI DSS Focus on cardholder data environment Segmentation Processes manual, settlements, charge backs Third party service providers Diagrams and flow Inventory of systems and applications in CDE 2. Create inventory of all hardware and software Network equipment payment applications Security infrastructure Server and storage infrastructure Authentication infrastructure Management applications

29 Prevention 1. External and internal scanning 2. Secure encrypted remote control 2 FA 3. Patch management regularly done and tracked 4. Endpoint Security centralized logging is required 5. Network Segmentation limits scope and reduces risk 6. No cardholder data retained in the clear validation required 7. Wireless intrusion detection and prevention 8. Logging of patches, events, activity, remote control, firewall, file integrity monitoring and wireless intrusion prevention 9. All logs must be centrally retained for 1 year 10. Event logs need to generate security alerts

30 Maintenance 1. Inspect POS systems regularly for any evidence of tampering 2. Conduct periodic reviews of DSS requirements to be sure they operate as designed 3. Monitor security controls to ensure effective operation 4. Maintain inventory of all hardware and software 5. Test your incident response plan annually 6. Event logs must be regularly analyzed in order to generate security alerts

31 Remediation 1. Fix the vulnerabilities identified by external and internal scans 2. Examine firewall router logs 3. Apply patches, fixes, workarounds and changes to unsafe processes and workflow 4. Re-scan to verify that remediation actually occurred

32 Recovery 1. Execute the Incidence Response Plan 2. Contact law enforcement, legal, and customers 3. Conduct investigation to find out which areas of environment have been compromised 4. Inform acquiring banks, customers, QSA firm, etc.

33 Recovery 1. The best data security can still be vulnerable to breaches 2. Event logging makes the forensic investigation faster and less expensive in the event of a breach 3. Security alerts allow the retailer to inform customers of breaches, rather than customers finding out the hard way 4. As always, all data should be backed up

34 The Customer loves c-stores more than ever. 83.7% of motor fuel purchases in America are made at convenience stores. 3 to 4 minutes is the average time for a customer to walk in, purchase an item, and depart. $32 BB spent annually on food items from convenience stores alone. 1,100 customers per day walk into a single C-store that sells petroleum on average.

35 The Customer uses their credit cards for most purchases. Customers want to feel secure when they give you their credit card Convenience stores are highly sought after and trusted by consumers of all ages Convenience is what they want - fast, efficient and friendly They don t even think when they give you the card for a transaction You have their trust - they expect you to protect it

36

37

38 Think of data security today: from the Inside of Enterprise - to the Perimeter. There needs to be an information-based and activitybased data strategy The enterprise has to be secured from the inside-out Cloud-based storage makes securing data more difficult It is harder to know where sensitive information is actually being stored at a given time

39 Data security realities in Cyber risk is a matter of corporate governance 2. PCI DSS 3.0 is about continuous compliance 3. Penetration testing must demonstrate that CDE boundaries are secured as expected. 4. Service Providers must be certified compliant. 5. Even small merchants may need to be validated for compliance. 6. Centralized data security management is essential. 7. Data security needs to be from the Inside-Out.

40 Questions? Type your questions in the chat box. Rick Dakin and Shekar Swamy will address them.

41 Thank You Rick Dakin CEO and Chief Security Strategist Office: x7001 coalfire.com Shekar Swamy President and Sr. Security Strategist Office: x2450 omegasecure.com American Technology Corporation omegasecure.com 41

42 Coalfire Systems, Inc. coalfire.com Omega ATC omegasecure.com Leading independent provider of IT Governance, Risk and Compliance (IT-GRC) management services Focused expertise in Healthcare (HIPAA), Retail (PCI), Banking (GLBA), Utilities (NERC) and Cloud (FedRAMP) Full suite of IT GRC solutions: compliance audit, risk and vulnerability assessment, application security, penetration testing and forensic analysis Served over [1,300] clients to date, including Oracle, TSYS, Epic, IBM, Ford, Nordstrom, EchoStar, Microsoft, Intuit, Overstock Over [250] employees and contractors across [11] offices: UK, Boston, Denver, Seattle, New York, Atlanta, Los Angeles, San Francisco, San Diego, Washington DC and Dallas PCI DSS 3.0 Certified Compliant Managed Security Services Provider (MSSP) Serving customers nationally in the convenience store, quick service restaurant, petroleum market and specialty retail spaces 24-year history of performance helping customers simplify and manage retail systems Clients include Fortune 500 corporations to small familyowned businesses Omega systems and services widely used in the market Rapid deployment process, focus on systems management, data security and helping customers achieve compliance Member of NACS, Conexxus, NRF and SIGMA

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc. PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information

More information

PCI Compliance 3.1. About Us

PCI Compliance 3.1. About Us PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance

More information

PCI Risks and Compliance Considerations

PCI Risks and Compliance Considerations PCI Risks and Compliance Considerations July 21, 2015 Stephen Ramminger, Senior Business Operations Manager, ControlScan Jon Uyterlinde, Product Manager, Merchant Services, SVB Agenda 1 2 3 4 5 6 7 8 Introduction

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session

More information

Payment Security Update

Payment Security Update Payment Security Update Rick Dakin, CEO & Cofounder October 2, 2014 Agenda Coalfire Introduction Changing Environment Threats Technology Compliance Mobile Security Recent Data Breaches Risk Management

More information

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319

More information

New PCI Standards Enhance Security of Cardholder Data

New PCI Standards Enhance Security of Cardholder Data December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target

More information

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are

More information

MITIGATING LARGE MERCHANT DATA BREACHES

MITIGATING LARGE MERCHANT DATA BREACHES MITIGATING LARGE MERCHANT DATA BREACHES Tia D. Ilori Ed Verdurmen January 2014 1 DISCLAIMER The information or recommendations contained herein are provided "AS IS" and intended for informational purposes

More information

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,

More information

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard PCI Compliance Crissy Sampier, Longwood University Edward Ko, CampusGuard Agenda Introductions PCI DSS 101 Chip Cards (EMV) Longwood s PCI DSS Journey Breach Statistics Shortcuts to PCI DSS Compliance

More information

What does it mean to be secure?

What does it mean to be secure? OmegaSecure.com What does it mean to be secure? Shekar Swamy, President Omega ATC What is Data Security? Data security is the means of ensuring that data is kept safe from corruption and access to it is

More information

North Carolina Office of the State Controller Technology Meeting

North Carolina Office of the State Controller Technology Meeting PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security

More information

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security

More information

PCI DSS 3.0 and You Are You Ready?

PCI DSS 3.0 and You Are You Ready? PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes

More information

NACS/PCATS WeCare Data Security Program Overview

NACS/PCATS WeCare Data Security Program Overview NACS/PCATS WeCare Data Security Program Overview March 27, 2012 Abstract This document describes the WeCare Program, discusses common data security threats, outlines an 8-point plan to improve data security,

More information

PCI It Never Ends! Shekar Swamy, President Omega ATC. Denise Lewis, Pinnacle POS Product Manager. omegasecure.com

PCI It Never Ends! Shekar Swamy, President Omega ATC. Denise Lewis, Pinnacle POS Product Manager. omegasecure.com PCI It Never Ends! Shekar Swamy, President Omega ATC Denise Lewis, Pinnacle POS Product Manager Palm POS PCI Status Pinnacle Palm POS is PCI compliant! Palm POS continues to evolve with the PCI DSS: -

More information

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or

More information

INFORMATION TECHNOLOGY FLASH REPORT

INFORMATION TECHNOLOGY FLASH REPORT INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

PCI Compliance in Multi-Site Retail Environments

PCI Compliance in Multi-Site Retail Environments TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help

More information

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

The State of Security and Compliance for E- Commerce and Retail

The State of Security and Compliance for E- Commerce and Retail The State of Security and Compliance for E- Commerce and Retail Current state of security PCI regulations and compliance Does the data you hold require PCI compliance Security and safeguarding against

More information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key

More information

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP 2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,

More information

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Data Security for the Hospitality

Data Security for the Hospitality M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug

More information

PCI: It Never Ends. Why?

PCI: It Never Ends. Why? PCI: It Never Ends. Why? How to stay prepared? Shekar Swamy American Technology Corporation St. Louis, MO January 13, 2011 PCI compliance basics It s all about Data Security 12 major areas of compliance

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University

PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University Session Etiquette Please turn off all cell phones. Please keep side conversations to a minimum. If you must

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

SECURITY FIRST: CLARITY ON PCI COMPLIANCE

SECURITY FIRST: CLARITY ON PCI COMPLIANCE WHITE PAPER CLOUD HOSTING. SECURED. SECURITY FIRST: CLARITY ON PCI COMPLIANCE WWW.SERVERCHOICE.COM SECURITY FIRST: CLARITY ON PCI COMPLIANCE This Security First white paper provides an illustrated view

More information

Continuous compliance through good governance

Continuous compliance through good governance PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance Who are the PCI SSC? The Payment Card Industry Security Standard Council

More information

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI

More information

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected officials, administrative officials and business managers.

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP

PCI Overview. Lee Buttke Director of Consulting QSA, CPISM, CISSP PCI Overview Lee Buttke Director of Consulting QSA, CPISM, CISSP About NetSPI Security and compliance consulting solutions for highly regulated markets QSA, PA-QSA, and ASV Higher Education and Retail/Payment

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help

More information

PCI DSS v3.0 SAQ Eligibility

PCI DSS v3.0 SAQ Eligibility http://www.ambersail.com Disclaimer: The information in this document is provided "as is" without warranties of any kind, either express or implied, including, without limitation, implied warranties of

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document

More information

Technology Innovation Programme

Technology Innovation Programme FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk

More information

PCI Security Standards Council

PCI Security Standards Council PCI Security Standards Council Jeremy King, European Director 2013 Why PCI Matters Applying PCI How You Can Participate Agenda 2 Why PCI Matters Applying PCI How You Can Participate Agenda About the PCI

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers Compliant? Bank Name

More information

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013 Encryption and Tokenization: Protecting Customer Data Your Payments Universally Amplified Tia D. Ilori Sue Zloth September 18, 2013 Agenda Global Threat Landscape Real Cost of a Data Breach Evolution of

More information

PCI DSS Compliance. 2015 Information Pack for Merchants

PCI DSS Compliance. 2015 Information Pack for Merchants PCI DSS Compliance 2015 Information Pack for Merchants This pack contains general information regarding PCI DSS compliance and does not take into account your business' particular requirements. ANZ recommends

More information

How Secure is Your Payment Card Data?

How Secure is Your Payment Card Data? How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)

More information

An article on PCI Compliance for the Not-For-Profit Sector

An article on PCI Compliance for the Not-For-Profit Sector Level 8, 66 King Street Sydney NSW 2000 Australia Telephone +61 2 9290 4444 or 1300 922 923 An article on PCI Compliance for the Not-For-Profit Sector Page No.1 PCI Compliance for the Not-For-Profit Sector

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate. MasterCard PCI & Site Data Protection (SDP) Program Update Academy of Risk Management Innovate. Collaborate. Educate. The Payment Card Industry Security Standards Council (PCI SSC) Open, Global Forum Founded

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

How to Sell PCI 3.1 to Your Merchants. Matt Brown, Director of Business Development

How to Sell PCI 3.1 to Your Merchants. Matt Brown, Director of Business Development How to Sell PCI 3.1 to Your Merchants Matt Brown, Director of Business Development MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. We have members

More information

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics Customer PCI 3.0 Changes = New Opportunity For You Giles Witherspoon-Boyd SecurityMetrics Who is this guy? Giles Witherspoon-Boyd, PCIP 15 years in technology, 4 years at SecurityMetrics SecurityMetrics

More information

So you want to take Credit Cards!

So you want to take Credit Cards! So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed

More information

AISA Sydney 15 th April 2009

AISA Sydney 15 th April 2009 AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

Credit Card Processing, Point of Sale, ecommerce

Credit Card Processing, Point of Sale, ecommerce Credit Card Processing, Point of Sale, ecommerce Compliance, Self Auditing, and More John Benson Kurt Willey HACKS REGULATIONS Greater Risk for Merchants Topics Compliance Changes Scans Self Audits

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard rking@campusguard.com Whoops!...3.1 Changes 3.1 PCI DSS Responsibility Information Technology Business Office PCI DSS Work Information

More information

Data Security Basics for Small Merchants

Data Security Basics for Small Merchants Data Security Basics for Small Merchants 28 October 2015 Stan Hui Director, Merchant Risk Lester Chan Director, Merchant Risk Disclaimer The information or recommendations contained herein are provided

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Agenda 1 2 3 Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

Frequently Asked Questions

Frequently Asked Questions PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply

More information

A PCI Journey with Wichita State University

A PCI Journey with Wichita State University A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know

More information

Vendor 1 QUESTION CCSF RESPONSE

Vendor 1 QUESTION CCSF RESPONSE Vendor 1 QUESTION 1 If we have already filled out the vendor profile application, business tax declaration and local business forms will we need to fill them out again? 2 Is CCSF open to rolling up all

More information

Franchise Data Compromise Trends and Cardholder. December, 2010

Franchise Data Compromise Trends and Cardholder. December, 2010 Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee

More information

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600 Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle

More information

How To Achieve Pca Compliance With Redhat Enterprise Linux

How To Achieve Pca Compliance With Redhat Enterprise Linux Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc.

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina ricklambert@sc. PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013 Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition November 2013 Introductions Brian Serra PCI Practice Director Nick Puetz Managing Director - Strategic Services 2013 FishNet Security Inc. All

More information

How SafenSoft TPSecure can help. Compliance

How SafenSoft TPSecure can help. Compliance How SafenSoft TPSecure can help with PCI DSS Compliance June 2011 Tel: 1-866-846-6779 Fax: 1-408 273 Executive Summary In an era of increasingly sophisticated attacks on systems, it is vital that any business

More information

Payment Card Industry Compliance Overview

Payment Card Industry Compliance Overview January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard

More information

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES AGENDA PCI Players and Roles Merchant Requirements Keys To Successful PCI

More information

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Thoughts on PCI DSS 3.0. September, 2014

Thoughts on PCI DSS 3.0. September, 2014 Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology

More information

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008 Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities

More information