Payment Card Industry Data Security Standard



Similar documents
PCI DSS. CollectorSolutions, Incorporated

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

Credit Card Processing, Point of Sale, ecommerce

How To Protect Your Business From A Hacker Attack

Adyen PCI DSS 3.0 Compliance Guide

PCI DSS Presentation University of Cincinnati

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Understanding the SAQs for PCI DSS version 3

PCI DSS Compliance What Texas BUC$ Need to Know! Ron King CampusGuard

Becoming PCI Compliant

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

A Compliance Overview for the Payment Card Industry (PCI)

PCI DSS Compliance Information Pack for Merchants

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Merchant guide to PCI DSS

Why Is Compliance with PCI DSS Important?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Compliance Top 10 Questions and Answers

PCI Compliance. Top 10 Questions & Answers

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Project Title slide Project: PCI. Are You At Risk?

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry - Achieving PCI Compliance Steps Steps

How To Ensure Account Information Security

PCI Security Compliance

Frequently Asked Questions

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Property of CampusGuard. Compliance With The PCI DSS

PCI Compliance for Healthcare

PCI Compliance Overview

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

La règlementation VisaCard, MasterCard PCI-DSS

Payment Card Industry Data Security Standards.

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

An article on PCI Compliance for the Not-For-Profit Sector

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI DSS v3.0 SAQ Eligibility

PCI Data Security Standards

North Carolina Office of the State Controller Technology Meeting

PCI COMPLIANCE GUIDE For Merchants and Service Members

So you want to take Credit Cards!

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

How To Protect Your Credit Card Information From Being Stolen

Payment Card Industry Data Security Standards Compliance

Two Approaches to PCI-DSS Compliance

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Your Compliance Classification Level and What it Means

Achieving PCI Compliance for Your Site in Acquia Cloud

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

PAI Secure Program Guide

The PCI DSS Compliance Guide For Small Business

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

How To Protect Visa Account Information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

PCI Compliance: Protection Against Data Breaches

PCI Compliance 3.1. About Us

PCI Compliance: How to ensure customer cardholder data is handled with care

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Accepting Payment Cards and ecommerce Payments

PCI Standards: A Banking Perspective

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

A PCI Journey with Wichita State University

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

UCSB Credit Card Processing and PCI Compliance

Payment Card Industry Data Security Standard

PCI: The Dark Side. May 2012 Roanoke, VA

Policy. London School of Economics & Political Science. PCI DSS Compliance. Jethro Perkins IMT. Information Security Manager. Version Release 1.

PCI DSS. Payment Card Industry Data Security Standard.

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

E Pay. A Case Study in PCI Compliance. Illinois State Treasurer. Dan Rutherford

What a Processor Needs from a University to Validate Compliance

Transcription:

Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov

PCI-DSS A common set of industry tools and measurements to help ensure the safe handling of sensitive information. Developed and managed by the PCI Security Standards Council Applies to all merchants and third party service providers that Store/Process/Transmit Card Holder Data Develop/ Sell Payment Applications 2

PCI-DSS Summarized Goals Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all 3 personnel

PCI Compliance Levels Level 1 Merchants processing over 6 million card transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region Level 2 Merchants processing 1 million to 6 million card transactions annually (all channels) Level 3 Merchants processing 20,000 to 1 million e-commerce transactions annually Level 4 Merchants processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual Report on Compliance ( ROC ) by Qualified Security Assessor ( QSA ) or Internal Auditor Quarterly network scan by Approved Scan Vendor ( ASV ) Attestation of Compliance Form Annual Self-Assessment Questionnaire ( SAQ ) Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ recommended Quarterly network scan by ASV if applicable requirements set by merchant bank 4

Self Assessment Questionnaires (SAQs) SAQ A SAQ A-EP SAQ B Card not present merchants (ecommerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS compliant third party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Not applicable to face to face channels Ecommerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant s systems or premises. Applicable only to e-commerce channels. Merchants using only Imprint machines with no electronic cardholder data storage; and/or Standalone, dial out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels 5

Self Assessment Questionnaires (SAQs) SAQ B-IP SAQ C-VT SAQ C SAQ P2PE-HW SAQ D Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants who manually enter a single transaction at a time via a keyboard into an Internet based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels. Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels All merchants not included in descriptions for the above SAQ types 6

Cost of Non Compliance If a merchant is found to be non-compliant they can be fined up to $25,000 per month. Noncompliance assessments will begin 1 January 2015 for noncompliant or overdue level 1 and level 2 merchants Visa may impose additional measures including, but not limited to, risk reduction requirements, disconnection from VisaNet, and agent disqualification. In case of a breach, merchants will be assessed the cost to notify and reissue cards for affected cardholders. This can be $100 to $300 per record compromised. 7

PCI-DSS Case Study Entity Profile: Challenges: Solution(s): Accepts Bankcards in-person at multiple locations. Has a website with online acceptance of bankcards that they outsourced to a 3 rd party to manage. Classified as a level 2 merchant Multiple Challenges, from project management issues, to incomplete gap analysis, all pointing to a lack of understanding of the PCI-DSS Still a Work in Progress, but getting better.

PCI-DSS Case Study Project Management Issues Ownership of the process No one wanted to take the job Gave the job to an accountant with no prior PM experience, and very little bankcard experience Were unable to get resources from their 3 rd party vendor to assist in analyzing the vendor s side of things. Project Manager got busy with day to day issues and put the project on the back burner

PCI-DSS Case Study Incomplete Gap Analysis Inability to engage internal IT resources Inability to engage 3 rd party IT resources Guessing at answers instead of digging deeper and knowing the answers Lacked a clear understanding of the relationship of their internal systems, and how those interfaced with the 3 rd party system(s) Completely missed the fact that their 3 rd party was retaining full card data

PCI-DSS Case Study Lack of Understanding of PCI-DSS Through this process it became apparent that this agency did not understand PCI-DSS or the implications of being in non-compliance with the standard Even though it was communicated early and often, they missed their compliance deadline and then had to request an extension It was only when they were under the threat of having merchant services turned off did they comprehend the seriousness of the issue

PCI-DSS Case Study Solutions Engage and get buy in from executive management Agency assigned an effective Project Manager Agency management staff were told to drop everything and assist the PM whenever questions needed to be answered Fully vet your business process First thing the PM did was a full analysis of their entire business process, from initial card acceptance through settlement During this analysis it was discovered they had a requirement of their vendor to retain full card data

PCI-DSS Case Study Solutions Get outside help when needed Hired a Qualified Security Assessor (QSA) After identifying full card data was being kept, analyzed their business need for that data and determined it was in their best interest to not retain full card numbers. Complete your PCI-DSS Validation timely Because this agency was so late in validating their compliance, our Acquirer looked it over much more closely than normal. This took extra resources to answer their many and varied probing questions Start working on next year s validation early

PCI-DSS Case Study Solutions Make sure the correct SAQ is being done If you are accepting in-person transactions only with hardware terminals, the validation of your compliance requirements will look much different than a merchant who has online acceptance or who retains card data Make sure your contracts with 3 rd party vendors address your data security requirements Don t Retain Card Data If you have a business need to retain full card data, do what you can to change that process. If you still have the need, find a solution that will best protect you from a data breach

PCI-DSS Resources PCI Data Security Standard (PCI DSS) www.pcisecuritystandards.org The Standard: https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf Supporting Documents: https://www.pcisecuritystandards.org/security_standards/documents.php Approved Assessors and Scanning Vendors: https://www.pcisecuritystandards.org/approved_companies_providers/index.php Self-Assessment Questionnaires: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information