PCI Security Standards Council

Similar documents
PCI Security Standards Council

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Credit Card Processing Overview

CardControl. Credit Card Processing 101. Overview. Contents

Data Security Basics for Small Merchants

PCI Compliance Overview

Payment Card Industry Data Security Standards

Need to be PCI DSS compliant and reduce the risk of fraud?

Payment Card Industry Data Security Standards.

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI DSS Compliance Services January 2016

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

An article on PCI Compliance for the Not-For-Profit Sector

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

How To Protect Your Business From A Hacker Attack

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

How To Comply With The Pci Ds.S.A.S

Project Title slide Project: PCI. Are You At Risk?

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Credit Card Processing, Point of Sale, ecommerce

How To Protect Your Credit Card Information From Being Stolen

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Why Is Compliance with PCI DSS Important?

How To Protect Visa Account Information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Josiah Wilkinson Internal Security Assessor. Nationwide

The PCI Security Standards Council. Jeremy King European Director

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Becoming PCI Compliant

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI PA-DSS Requirements. For hardware vendors

So you want to take Credit Cards!

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

PCI DSS. CollectorSolutions, Incorporated

PCI DSS Compliance Information Pack for Merchants

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

And Take a Step on the IG Career Path

Achieving Compliance with the PCI Data Security Standard

Adyen PCI DSS 3.0 Compliance Guide

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

Payment Card Industry Data Security Standard PCI DSS

Payment Card Industry Data Security Standards Compliance

IS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry Compliance Overview

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry (PCI) Data Security Standard

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Transitioning from PCI DSS 2.0 to 3.1

PCI Standards: A Banking Perspective

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Payment Card Industry (PCI) Data Security Standard

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Attestation of Compliance for Onsite Assessments Service Providers

University Policy Accepting Credit Cards to Conduct University Business

SecurityMetrics Introduction to PCI Compliance

PCI Compliance Top 10 Questions and Answers

Transcription:

PCI Security Standards Council Jeremy King, European Director 2013

Why PCI Matters Applying PCI How You Can Participate Agenda 2

Why PCI Matters Applying PCI How You Can Participate Agenda

About the PCI Council Open, global forum Founded 2006 Guiding open standards for payment card security Development Management Education Awareness

PCI: Architecture for Payment Card Security 5 major card brands drive efforts for payment card security PCI Security Standards Council manages the technical standards and process

Community Over 650 Participating Organisations 488 11 118 17 43

Your Card Data is a Gold Mine for Criminals Types of Data on a Payment Card CID (American Express) CAV2/CID/CVC2/CW2 (Discover, JCB, MasterCard, Visa) Chip Pan Cardholder Data Expiration Date Magnetic Strip (data on tracks 1 & 2)

PCI Security Standards Suite Protection of Cardholder Payment Data Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments PCI Security & Compliance P2PE Ecosystem of payment devices, applications, infrastructure and users

EMV Helps Reduce Face-to-Face Fraud + - Countries that have implemented EMV have reported a decrease in card fraud. According to the UK Cards Association, Fraud on lost and stolen cards is now at its lowest level for two decades and counterfeit card fraud losses have also fallen and are at their lowest level since 1999.* *Smart Card Alliance EMV FAQ EMV by itself does not protect the confidentiality of, or inappropriate access to sensitive authentication data and/or cardholder data in card-not-present or Internet transactions

EMV Needs PCI for Full Protection!

Business Sectors With the Most Breaches High Technology 2% Health & Beauty 2% Nonprofit 3% Financial Services 7% Hospitality 9% Other 8% Retail 45% Systems that store, process or transmit cardholder data remain primary targets for criminals Food & Beverage 24%

Organisations Ignored PCI and Were Breached 96% of those breached were not PCI compliant as of their last assessment (or were never assessed/validated) Top attack methods used to breach organizations: 81% of incidents involved hacking 69% incorporated malware 10% involved physical attack 12

Top Mistakes By Those Breached Revealed by Forensic Audits Weak Passwords Lack of employee education Security deficiencies introduced by third parties responsible for system support, development and/or maintenance Slow self-detection

Why? Why we fail to maintain secure environments Lack of awareness by IT practitioners Incentive to keep security a primary focus Quickly evolving technology landscape Rapid development and distribution of new solutions Still unnecessary exposure of CHD

PCI Standards Help Secure Your Data 92% of compromises were simple 97% were avoidable through simple or intermediate controls 92% 97% Source: Verizon 2012 Data Breach Investigations Report

The PCI Data Security Standard Six Goals Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Twelve Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors

PCI Standards for Applications & Devices PIN Transaction Security (PTS) Addresses characteristics & management of devices for processing payment cards PTS is followed by device manufacturers Merchants must use validated PTS devices Payment Application Security Data Security Standard (PA-DSS) Addresses applications for payment, authorisation and settlement PA-DSS is followed by software developers Merchants must use validated payment applications Manufacturers PCI PTS Pin Entry Devices Software Developers PCI PA-DSS Payment Applications Merchants & Service Providers PCI DSS Secure Environments

Getting Ready for PCI 3.0 2013 Focus: Updating PCI Standards and supporting documents based on Community feedback

The Bottom Line + + = People Processes Technology Security Compliance Doesn t Equal Security

Why PCI Matters Applying PCI How You Can Participate Applying PCI 20

Applying PCI in Your Environment Mobile P2PE Virtualisation ATM Tokenisation Cloud EMV

EMV Helps Reduce Face-to-Face Fraud EMV by itself does not protect the confidentiality of, or inappropriate access to sensitive authentication data and/or cardholder data in card-not-present or Internet transactions

Even EMV Security Needs PCI

Mobile Payment Acceptance retail $19 payment accepted Thank You!

Areas of Focus for Mobile MOBILE Devices Tamper-responsive, PTS Devices (e.g. SCR) using P2PE Applications Requirements and/or Best Practices for authorisation and settlement Service Providers Service provider protection of cardholder data and validation

Mobile payments and the PCI Council Identified mobile applications that can be validated to PA-DSS Published merchant guidance for mobile solutions leveraging P2PE Developed best practices for developers Next steps explored by PCI SSC

Guidance on Mobile Payment Acceptance Security

New Mobile Guidance for Merchants Guidance for merchants on the factors and risks that need to be addressed in order to protect card data when using mobile devices, such as smart phones and tablets, to accept payments, including: Objectives and guidance for the security of a payment transaction Guidelines for securing the mobile device Guidelines for securing the payment acceptance solution

Point-to-Point Encryption Point-to-Point Encryption Available to all members of the payment chain Also called P2PE Optional standard for decreasing scope PCI 2PE hardware /hardware requirements available PCI P2PE Hybrid requirements available

Tokenisation Work on tokenization standards has begun PAN Ensure that process of creating token from PAN doesn t leak information about PAN Ensure that a token or collection of tokens by themselves cannot feasibly allow discovery of PAN Ensure that adequate controls exist over detokenisation process T Token Ensure that token cannot be used in lieu of PAN for impermissible purposes

2013 Training Highlights Online Internal Security Assessor (ISA) Training P2PE Assessor Training Corporate PCI Awareness Let Us Come To You! Online Awareness Training in Four Hours Qualified Integrators and Resellers (QIR) Program PCI Professional Program (PCIP) To learn more, visit: www.pcisecuritystandards.org/ training/index.php

QIR Addresses Common Misconceptions I m using a PA-DSS validated application, so I must be OK. I m using a reputable 3 rd party, so they must be doing a secure installation. This applies only to brick and mortar establishments.

Payment Card Industry Professional (PCIP) Support your organisation Professional credibility Competitive advantage Global directory Now Available

Internal Security Assessor (ISA) Program A comprehensive PCI DSS training and qualification program for eligible internal audit security professionals that you asked for! Improves your understanding of PCI DSS and compliance procedures Helps your organisation build internal expertise Teaches processes that can reduce the cost of compliance

PCI Awareness Training Team Building Convenience Cost We come to you!

Multilingual Resources on the PCI Website French Spanish Japanese German Italian Portuguese Chinese

Resources for Small Business Owners View at: www.pcisecuritystandards.org/smb

Why PCI Matters Applying PCI How You Can Participate How You Can Participate 39

Be Involved Contribute Your Expertise! Chief Security Officers IT Managers Information Security Professionals Risk Managers Compliance Officers Join! Become a Participating Organisation today Chief Information Officers Forensic Investigators Legal Experts Technologists Data Security Experts

Help Participate in Standards Development Implementation Feedback Formal Feedback Draft Revisions Feedback

PCI SSC Special Interest Groups (SIG) Risk Assessment ecommerce Cloud Best Practices for Maintaining PCI Compliance Third Party Security Assurance

Products of SIG Collaboration

New SIG Guidance PCI DSS Risk Assessment Risk Assessment Guidance for choosing the risk assessment approach that works best for your business to secure your card data Go to our website today to download these new guidelines! https://www.pcisecuritystandards.org/index.php

New SIG Guidance ecommerce ecommerce Guidance on the use of e- commerce technologies in accordance with the PCI DSS Go to our website today to download these new guidelines! https://www.pcisecuritystandards.org/index.php

New SIG Guidance Cloud Cloud Guidance on the use of cloud technologies and considerations for maintaining PCI DSS controls in cloud environment Go to our website today to download these new guidelines! https://www.pcisecuritystandards.org/index.php

2013 Special Interest Groups- Join us! Best Practices for Maintaining PCI Compliance Third Party Security Assurance Visit PCI SSC website to sign up

Board of Advisor Nominations and Elections 2013 27 January Nominations Open 25 February Nominations Close 7 March Voting Commences Join as a Participating Organisation by going to https://www.pcisecuritystandards.org/get_involved/join.php And play a role in electing the next Board of Advisors

Get Involved We Need Your Input Join Learn Input Network Nominate Vote Share Influence

The Formula for PCI Success People + Processes + Technology = Security

Summary: Why PCI Matters to You! Community Guidance Vigilance Training Engagement

Questions? Please visit our website at www.pcisecuritystandards.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information