The PCI Security Standards Council. Jeremy King European Director

Similar documents
PCI Security as a Lifecycle: How to Plan for PCI in 2012 and Beyond

The PCI Security Standards Council. Bob Russo June 2011

PCI Security Standards Council

PCI Security Standards Council

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED

PCI PA-DSS Requirements. For hardware vendors

Payment Card Industry (PCI) Additional Security Requirements for Token Service Providers (EMV Payment Tokens)

The PCI Security Standards Council

Transitioning from PCI DSS 2.0 to 3.1

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI Compliance The Road Ahead. October 2012 Hari Shah & Parthiv Sheth

The PCI Security Standards Council. Bob Russo, General Manager January 30, 2009

Mobile Payment Security

The Relationship Between PCI, Encryption and Tokenization: What you need to know

Payment Card Industry Compliance Overview

PCI DSS Compliance Information Pack for Merchants

Point-to-Point Encryption (P2PE)

Payment Card Industry (PCI) Point-to-Point Encryption

PCI Compliance 101: Payment Card. Your Presenter: 7/19/2011. Data Security Standards Compliance. Wednesday, July 20, :00 pm 3:00 pm EDT

What You Need to Know About PCI SSC Guiding open standards for global payment card security

PCI DSS Gap Analysis Briefing

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

INFORMATION TECHNOLOGY FLASH REPORT

Troy Leach May 6, 2009

Understanding and Managing PCI DSS

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Data Security Basics for Small Merchants

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

Adyen PCI DSS 3.0 Compliance Guide

Four Keys to Preparing for a PCI DSS 3.0 Assessment

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Payment Card Industry (PCI) Point-to-Point Encryption

John Verdeschi Vice President Payment Systems Integrity March 31, and The PCI SSC s Prioritized Approach

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

How Secure is Your Payment Card Data?

Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March Information Supplement: Protecting Telephone-based Payment Card Data

HOW SECURE IS YOUR PAYMENT CARD DATA?

So you want to take Credit Cards!

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance Overview

Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Time to get off the fence?

Introduction to. May 18, :15 p.m. 2:15 p.m.

PCI DSS. CollectorSolutions, Incorporated

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Why Is Compliance with PCI DSS Important?

How To Write A Work Paper

Statement of Stephen W. Orfei General Manager PCI Security Standards Council

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE

mobile payment acceptance Solutions Visa security best practices version 3.0

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Payment Security teleconference

rguest Pay Gateway: A Solution Review

Payment Card Industry (PCI) Data Security Standard

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

VeriFone VeriShield Total Protect Technical Assessment White Paper

Complying with Payment Card Industry Data Security Standards (PCI DSS) Requirements. Approaches in Higher Education

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Point-to-Point Encryption

The state of PCI DSS compliance. Irish Payments Services Organisation PCI DSS Explained

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Payment Card Industry (PCI) Data Security Standard

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Credit Card Processing Overview

Safe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015

Point Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Payment Card Industry (PCI) Data Security Standard

EMV mobile Point of Sale (mpos) Initial Considerations

Payment Card Industry (PCI) Data Security Standard

Payment Application Data Security Standard

Safer Business Newsletter Q3 2012

Compliance and the Cloud: What You Can and What You Can t Outsource

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

CardControl. Credit Card Processing 101. Overview. Contents

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

The PCI DSS Compliance Guide For Small Business

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI DSS Compliance Services January 2016

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Payment Card Industry (PCI) Data Security Standard

Registry of Service Providers

White Paper PCI-Validated Point-to-Point Encryption

White paper. How to take your contact centre out of scope for PCI DSS. Reducing cost and risk in credit card transactions for contact centres

Registration and PCI DSS compliance validation

PCI Compliance. Reducing cost & risk in Credit Card Transactions for Contact Centres V1.0

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

MITIGATING LARGE MERCHANT DATA BREACHES

Transcription:

The PCI Security Standards Council Jeremy King European Director

Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?

PCI Security Standards Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness

Global Representation Board of Advisors RSA, The Security Division of EMC TSYS VeriFone Systems, Inc. Wal-Mart Stores, Inc. Starbucks Barclaycard British Airways Cartes Bancaires European Payments Council IATA Ingenico Tesco Stores Limited Cisco Citi First Data Corporation Heartland Payment Systems JPMorgan Chase&Co. McDonald s Corporation Cielo Woolworths Limited

Continued and Sustained Growth PCI SSC Community Meetings Total Attendees 2007 343 2010 2011 926 1509 PO Attendees 271 614 883 QSA/ASV/PTS Lab Attendees 52 231 434

Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?

The Five Stages of Grief Denial It doesn t apply to me PCI compliance is mandatory de ni al 1. : refusal to satisfy a request or desire 2. a (1) : refusal to admit the truth or reality (as of a statement or charge) (2) : assertion that an allegation is false b : refusal to acknowledge a person or a thing : disavowal 3. : the opposing by the defendant of an allegation of the opposite party in a lawsuit Source: http://www.merriam-webster.com/

The Five Stages of Grief Anger It isn t fair PCI applies to all parties in the payment process an ger transitive verb : to make angry <he was angered by the decision> intransitive verb : to become angry Source: http://www.merriam-webster.com/

The Five Stages of Grief Bargaining I ll do some of it Compliance is pass / fail bar gain ing 1. :an agreement between parties settling what each gives or receives in a transaction between them or what course of action or policy each pursues in respect to the other 2. : something acquired by or as if by bargaining; especially : an advantageous purchase <at that price the car is a bargain> 3. : a transaction, situation, or event regarded in the light of its results <a bad bargain> Source: http://www.merriam-webster.com/

The Five Stages of Grief Depression I ll never get there Many merchants already have de pres sion 1. (1) : a state of feeling sad : dejection (2) : a psychoneurotic or psychotic disorder marked especially by sadness, inactivity, difficulty in thinking and concentration, a significant increase or decrease in appetite and time spent sleeping, feelings of dejection and hopelessness, and sometimes suicidal tendencies 2. (1) : a reduction in activity, amount, quality, or force (2) : a lowering of vitality or functional activity Source: http://www.merriam-webster.com/

The Five Stages of Grief Acceptance It ll be OK PCI doesn t introduce any new, alien concepts ac cept ance 1. : an agreeing either expressly or by conduct to the act or offer of another so that a contract is concluded and the parties become legally bound Source: http://www.merriam-webster.com/

What About EMV? Council released guidance on EMV within an overall data security framework defined by the PCI Data Security Standard The guidance clearly highlights the benefits both systems bring to tackling fraud. EMV While EMV does help prevent some types of fraud, in order for a merchant to secure their payment data they must also adopt all elements of the PCI DSS. In today s EMV market, PCI DSS must be adopted and implemented in order to protect cardholder data.

EMV Transaction Auth Track data PIN block J c King PAN Expiry icvv/ icvc Auth Track data PIN block Auth Track data PIN block

Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?

Website

Resources for Merchants and Others

Special Resources for Small Merchants

2012 Training Highlights PCI SSC Internal Security Assessor (ISA) Program Helps security professionals improve their organizations understanding or PCI DSS and validate and maintain ongoing compliance Check out our Training Webinar! PCI Awareness Training Offers general PCI training across your business to ensure a universal understanding of PCI compliance Training Schedule ISA: London, UK 26-27 April, 2012 QSA: London, UK 28-29 April, 2012 PA-QSA: London, UK 22-23 April, 2012 PCI Awareness Training online anytime! https://www.pcisecuritystandards.org/training/index.php

Internal Security Assessor (ISA) Program A comprehensive PCI DSS training and qualification program for eligible internal audit security professionals Objective PCI SSC Internal Security Assessor (ISA) Program Now offered in new hybrid model: online prerequisite course followed by two day instructor-led session! Focus Help security professionals improve their organizations understanding or PCI DSS and validate and maintain ongoing compliance How does this benefit my organization? Opportunity to develop internal security expert for driving and maintaining PCI compliance Increase internal understanding of PCI standards and controls May reduce compliance costs by encouraging development of ongoing security process before and beyond the annual validation Improving understanding of PCI standards and compliance through: Enhancing the quality, reliability, and consistency of internal PCI- DSS self-assessments Supporting the consistent and proper application of PCI-DSS measures and controls Effectively facilitating interactions with QSAs

PCI Awareness Training Who should attend? Open to anyone who is interested in learning more about PCI, with a focus on those individuals working for organizations that must meet compliance with the PCI DSS or have a vested interest in the Payment Card Industry What does it cover? Key topics: What is PCI and what does it mean to a company that must meet compliance with the PCI DSS? Roles and responsibilities of the key actors in the compliance process How the credit card brands differ in their requirements for PCI reporting and validation Overview of the infrastructure used by organizations to accept payment cards and communicate with the verifications and payment facilities Real world examples of PCI challenges and successes How can I sign up? This course is offered both online and as a one day instructor-led session. Please visit the PCI SSC Awareness Training page on the Council website for an up-to-date schedule of courses and registration details: https://www.pcisecuritystandards.org/training/non_certification_training.php Awareness Training available online! Dates & Cost Fees: $995.00 per individual (plus VAT where applicable) Online: (per company) 1-24 people $495; 25-99 people $395; 100+ people $295

PCI DSS Prioritized Approach Prioritized Approach Tools

Fact Sheets

Skimming Prevention Guidance

New Guidance EMV Telephone-based Payment Card Data Virtualization Tokenization Wireless PA-DSS and Mobile

New Guidance Information Supplement: Telephone-based Payment Card Data Key Recommendations: Identifies risks and considerations specific to telephonebased payment card data Provides a step-by-step flowchart to help determine PCI DSS controls for voice recordings Specific guidance addressing capture of SAD Identifies several applicable PCI DSS requirements with recommendations specific to call recording environments Provides sample questions that merchants can ask call center providers to determine how their solution supports PCI DSS compliance

New Guidance Information Supplement: Virtualization Key Recommendations: Perform thorough evaluation of the technology and the impact on PCI DSS Specific security considerations for virtual environments Recommends all virtualization components meet PCI DSS requirements Defense in depth approach across both physical and logical layers

New Guidance Information Supplement: Virtualization Cloud-based architectures Responsibility will vary according to the specific cloud service and/or implementation Considerations for public cloud environments include: Added complexity Dynamic boundaries Often limited visibility or control over underlying infrastructure

New Guidance Information Supplement: Tokenization Key Recommendations: Tokenization does not eliminate the need for PCI DSS Primary goal is to replace sensitive PAN values with non-sensitive token values Tokenization may affect PCI DSS scope by limiting systems that store, process or transmit cardholder data Tokenization can contribute to a layered approach to cardholder data security

New Guidance Information Supplement: Tokenization Scoping Principles: Segment out of scope systems from the tokenization system and the CDE Scoping considerations will vary for each solution Tips for maximizing scope reduction: Limit PAN to point of capture and the card data vault Combine with P2PE Ensure PAN is not retrievable Securely delete PAN and other cardholder data from source systems

New Guidance Information Supplement: Wireless Overview: Updated guidance aligns with PCI DSS v2.0 Incorporates Bluetooth technologies Recommendations for securing wireless technologies Expanded guidance Includes updates per PCI DSS Requirement11.1

New Guidance PCI SSC Update June 2011 Mobile Update & FAQ on applicability of PA-DSS to mobile payment acceptance applications Category 1 and 2 applications are eligible for PA-DSS Category 3 applications are pending development of further guidance and/or standards Category 1 PTS Approved PED Devices Category 2 Purpose Built POS Devices Category 3 General Purpose Smart Device

New Guidance PCI SSC Update June 2011 Mobile Addressing Category 3 Applications via Two Scenarios Scenario 1: Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device Device never accesses clear-text PAN New PTS approval class for Secure Card Readers + P2PE is applicable Scenario 2: Cardholder data is input using a nonencrypted solution and transmitted through a mobile device Device has access to clear-text PAN Guidance/best practices for protecting clear-text PAN within mobile applications under development

New Program P2PE Hardware/Hardware Point-to-Point Encryption (P2PE) The Basics: P2PE does not replace PCI DSS Allows merchants to reduce their validation scope Merchant environment is isolated from clear-text account data P2PE incorporates all PCI standards, including elements from: PTS for the Point of Interaction (POI) devices PA-DSS for applications within POI PCI PIN for cryptographic key management PCI DSS for P2PE Solution Provider environment

New Program P2PE Hardware/Hardware Point-to-Point Encryption (P2PE) P2PE Program Schedule Hardware/Hardware Initial Release Validation Requirements September 2011 Final release Validation Requirements with detailed testing procedures Early 2012 P2PE assessor qualification process and solution listings Q1 2012

Council Resources Security standards Quick Reference Searchable List of approved and supporting Guide Frequently Asked QSAs, ASVs, PA- documents Questions QSAs, PED Labs Education and outreach - e.g., fact sheets, webinars Participating membership, meetings, collaboration A global voice for the industry

Agenda How can you defend your card data? What is the Council doing to help you? What tools are available to get you secure? How can you be involved?

Get Involved PCI security landscape and standards are maturing globally

Get Involved Join the PCI Braintrust! Chief Security Officers Information Security Professionals Compliance Officers Join! Become a Participating Organization today Forensic Investigators Technologists IT Managers Risk Managers Chief Information Officers Legal Experts Data Security Experts

Special Interest Groups (SIGS) Guidance & Alignment on Risk Assessment Level 3 and Level 4 E-Commerce Merchants Cloud (Virtualization Phase 2) sigs@pcisecuritystandards.org Projects commenced January 2012

Community Meetings Orlando, Florida, USA September 12 14, 2012 Dublin, Ireland October 22 24, 2012 Join us as a Participating Organization to get involved in setting global PCI standards!

Provide Feedback to the Council Implementation Feedback Formal Feedback Draft Revisions Feedback

How the Process Works Where elements of cardholder data must be protected when stored in conjunction with PAN, can we get some clarification on what in-conjunction means? Technical Working Group Board of Advisors Technical Working Group Standards Issued Technical Working Group Participating Organizations

Summary Focus on security, not compliance Understand the process of PCI standards development Join us as a Participating Organization and increase our global presence Take advantage of the Council s resources and guidance Participate in the 2012 Annual Community Meetings Adopt version 2.0 and share the PCI SSC roadmap with internal stakeholders

Stay Involved People + Processes + Technology = Security

Questions? Any Questions? Please visit our website at www.pcisecuritystandards.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information