The PCI DSS Compliance Guide For Small Business



Similar documents
What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

VISA EUROPE ACCOUNT INFORMATION SECURITY (AIS) PROGRAMME FREQUENTLY ASKED QUESTIONS (FAQS)

Payment Card Industry Data Security Standard

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

PCI DSS Compliance Information Pack for Merchants

AISA Sydney 15 th April 2009

Adyen PCI DSS 3.0 Compliance Guide

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

Payment Card Industry Compliance Overview

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Security Compliance

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

A Compliance Overview for the Payment Card Industry (PCI)

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

A Rackspace White Paper Spring 2010

Your Compliance Classification Level and What it Means

Becoming PCI Compliant

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Overview

PCI Standards: A Banking Perspective

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

PCI DSS and SSC what are these?

Josiah Wilkinson Internal Security Assessor. Nationwide

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Third Party Agent Registration and PCI DSS Compliance Validation Guide

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI Compliance Top 10 Questions and Answers

PCI DSS. CollectorSolutions, Incorporated

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry Standard - Symantec Services

Registration and PCI DSS compliance validation

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Merchant guide to PCI DSS

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PC-DSS Compliance Strategies NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standard

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI Data Security Standard Overview and observations from the field. Andrea Del Miglio Practice Manager 28 March 2007

La règlementation VisaCard, MasterCard PCI-DSS

PCI Compliance : What does this mean for the Australian Market Place? Nov 2007

Payment Card Industry Data Security Standard Explained

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

How To Protect Your Credit Card Information From Being Stolen

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

BRAND-NAME is What COUNTS!!!

Project Title slide Project: PCI. Are You At Risk?

How To Protect Your Business From A Hacker Attack

2.1.2 CARDHOLDER DATA SECURITY

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

SecurityMetrics Introduction to PCI Compliance

A Decision Maker s Guide to Securing an IT Infrastructure

A PCI Journey with Wichita State University

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

An article on PCI Compliance for the Not-For-Profit Sector

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

PCI Data Security Standards

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Comodo HackerGuardian PCI Approved Scanning Vendor Compliancy drives commerce: A reseller's Case Study - Merchant-Accounts.ca

Why Is Compliance with PCI DSS Important?

Western Australian Auditor General s Report. Information Systems Audit Report

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Two Approaches to PCI-DSS Compliance

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

John B. Dickson, CISSP October 11, 2007

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

Frequently Asked Questions

Introduction to PCI Compliance

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

How Secure is Your Payment Card Data?

Need to be PCI DSS compliant and reduce the risk of fraud?

Payment Card Industry - Achieving PCI Compliance Steps Steps

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Achieving PCI DSS Compliance Through Outsourcing: Where to begin?

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM

Brown Smith Wallace, LLC

PCI DSS Compliance Services January 2016

Transcription:

PCI DSS Compliance in a hosted infrastructure A Rackspace White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store, or transmit cardholder information. The purpose of this guide is to clearly explain what PCI DSS is, who it is relevant to, which areas of PCI DSS Rackspace can assist with, and which responsibilities are solely those of the customer. For more information, please contact Rackspace the home of Fanatical Support

Introduction Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory for ALL organisations worldwide that accept, store, process or transmit credit card details, and finding the right hosting partner is vital to success. While there are many areas of PCI compliance that Rackspace can assist with, customers should always seek consultation and validation from their merchant bank and qualified third parties (E.g. Qualified Security Assessors and Approved Scanning Vendors) to ensure that they meet all the requirements relevant to their business. Be aware that different credit card brands (e.g. Visa, MasterCard, etc.) may have different certification levels and requirements, so guidance from these merchants is vital to successfully attaining compliance. Rackspace is accredited by Visa as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant - customers should consult with their Merchant Bank or card brand to clarify any PCI obligations and steps to achieve compliance. What is PCI DSS? Payment Card Industry Data Security Standard is a global standard for information security that was developed and assembled by the Payment Card Industry Security Standards Council (PCI SSC). This council was founded by a number of payment brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International. PCI DSS contains requirements for security management, policies, procedures, network architecture, software design and other critical protective measures, intended to help businesses proactively protect their and their customers data. The primary aim of the council was to help facilitate the broad adoption of consistent data security measures on a global basis. Should My Business be PCI-DSS Compliant? If your business stores, processes, or transmits Cardholder data*, there is a requirement to be PCI-DSS compliant. Non-compliance to PCI-DSS could lead to: Loss of reputation Loss of customers Increased costs for accepting credit card transactions Complete withdrawal of credit card processing facilities in the worst cases Substantial fines associated with security breaches and non-compliance Litigation *Cardholder data refers to PAN (Primary Account Number) plus cardholder name, expiration date, service code

What are the levels of PCI Compliance? While there are different levels defined, the payment volume thresholds are also different depending upon the payment brand i.e. American Express, Master Card and Visa. Using Visa as an example, there are 4 levels of PCI-DSS assessment for Merchants, and 3 different levels for Service Providers. Merchant: Level 1: Any merchant who processes over 6,000,000 credit card transactions per year. Requires annual on-site validation by third party QSA (Qualified Security Assessor) Level 2: Any merchant who processes between 1,000,000 and 6,000,000 transactions per year. Requires annual self-assessment Level 3: Any merchant who processes between 20,000 and 1,000,000 transactions per year. Requires annual self-assessment Level 4: Any merchant who processes fewer than 20,000 transactions per year. Requires annual selfassessment Service provider: Level 1: All VisaNet processors (member and non-member) and all payment gateways Level 2: Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually Level 3: Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually Please contact the PCI Council for more information, and your merchant to confirm which level applies to your business. The PCI Council website can be found at https://www.pcisecuritystandards.org/

Key Steps towards PCI-DSS Compliance 1. Contact your Merchant/Acquiring Bank Your merchant/acquiring bank should provide guidance on: Validation requirements for your assessment (self assessment vs. on-site audit) Deadlines Penalties for non-compliance Penalties for security breaches 2. Conduct a scoping exercise This exercise should uncover the flow of cardholder data in your transactional websites, i.e. where and how cardholder data enters and leaves your website environment Results of this exercise should reveal: Where cardholder data is being stored What third parties have access to cardholder data How cardholder data is being secured in transit and in storage A smaller scope can facilitate an easier compliance exercise 3. Review business processes Are your processes expanding your scope unnecessarily or increasing your attack exposure? For example: Do you really need to store cardholder data? Do you have security policies for firewalls, patching, malware, etc? Is your application coded with best practices? Can non-core functions be outsourced? 4. Utilise the information on the PCI-SSC website The main PCI-SSC website is a great resource for your PCI-DSS compliance journey You can find key information on: Updates to the standard Frequently asked questions Testing procedures for each requirement List of Qualified Security Assessors and Approved Scanning Vendors 5. Engage a QSA (Qualified Security Assessor): If you do not have the in-house expertise to implement and manage a PCI-DSS compliance programme, it is recommended that you engage a QSA Look for QSAs with good track records of working with organisations of a similar size to yours Make sure that your QSA organisation can be found on the list of approved QSAs on the PCI- SSC website 6. Engage an ASV (Approved Scanning Vendor) The PCI-DSS Standard requires every merchant and service provider to engage an Approved Scanning Vendor to conduct periodic scans of your cardholder environment This is mandatory There is a list of ASVs on the PCI-SSC Website To be compliant, you must pass each ASV scan

The Prioritised Approach to PCI DSS Compliance To assist organisations in completing the PCI compliance process, the PCI Security Standards Council have produced a Prioritised Approach to help businesses understand where they can act to reduce risk earlier in the compliance process. The Prioritised Approach (see the PCI SSC website for more details https://www.pcisecuritystandards.org/index.shtml) breaks the steps to compliance down into six milestones and clearly maps each milestone to the 12 PCI DSS requirements and their individual sub-requirements. These milestones make it easier to understand each major area and enable organisations working towards compliance to focus first on the higher-priority requirements, which typically take longer to complete before moving to the lower-priority, less complex requirements. How Can a Hosting Provider Help with PCI Compliance? If you outsource all or part of your cardholder environment to a 3 rd party, the standard requires that party to be PCI-DSS compliant. Rackspace is a Level 1 certified PCI-DSS Service Provider Our compliancy is reassessed annually by an external auditor. The last audit was completed in June 2009 Rackspace offers a suite of hardware, software, and services that can help facilitate your compliance. These include: Summary Managed Cisco firewalls VPN system management access Sophos and Symantec anti-virus protection Thawte and Verisign SSL certificates Alert Logic Intrusion Detection Services (IDS) PCI ASV network scanning service (included with IDS) Physical system security (included with standard support) Patch management services (included with standard support) If you accept, store, process, or transmit cardholder data then you have a requirement to be PCI-DSS compliant There are penalties associated with non-compliance and data security breaches Rackspace can help you and your clients drive PCI-DSS compliance through its suite of hardware, software, and services Review the information publically available on the PCI-SSC website: https://www.pcisecuritystandards.org/ Please note that although Rackspace is a PCI compliant service provider, this does not automatically make our customers PCI compliant - customers should consult with their merchant and a Qualified Security Assessor to clarify any PCI obligations and steps to achieve customer compliance.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information