PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Similar documents
Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

How To Comply With The Pci Ds.S.A.S

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI Security Compliance

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Credit Card Processing Overview

Adyen PCI DSS 3.0 Compliance Guide

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

CardControl. Credit Card Processing 101. Overview. Contents

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI Compliance: How to ensure customer cardholder data is handled with care

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI COMPLIANCE GUIDE For Merchants and Service Members

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Becoming PCI Compliant

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Payment Card Industry (PCI) Data Security Standard

Credit Card Handling Security Standards

Need to be PCI DSS compliant and reduce the risk of fraud?

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Frequently Asked Questions

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry Data Security Standard PCI DSS

Merchant guide to PCI DSS

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS COUNCIL

Payment Card Industry Data Security Standards.

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

PCI Standards: A Banking Perspective

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

PCI DSS. CollectorSolutions, Incorporated

Fraud Protection, You and Your Bank

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Information Technology

Attestation of Compliance for Onsite Assessments Service Providers

Payment Card Industry (PCI) Data Security Standard

University Policy Accepting Credit Cards to Conduct University Business

Payment Card Industry Compliance

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Credit Card Processing, Point of Sale, ecommerce

Attestation of Compliance for Onsite Assessments Service Providers

PCI Compliance Top 10 Questions and Answers

Presented By: Bryan Miller CCIE, CISSP

Preventing. Payment Card Fraud. Is your business protected?

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Project Title slide Project: PCI. Are You At Risk?

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI Compliance for Cloud Applications

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

And Take a Step on the IG Career Path

PCI Compliance. Top 10 Questions & Answers

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

PCI Security Standards Council

How To Protect Your Credit Card Information From Being Stolen

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI DATA SECURITY STANDARD OVERVIEW

La règlementation VisaCard, MasterCard PCI-DSS

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI DSS Compliance Services January 2016

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI DSS COMPLIANCE DATA

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Accepting Payment Cards and ecommerce Payments

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI Data Security Standards

PCI DSS Presentation University of Cincinnati

TERMINAL CONTROL MEASURES

Achieving Compliance with the PCI Data Security Standard

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Dartmouth College Merchant Credit Card Policy for Processors

Attestation of Compliance for Onsite Assessments Service Providers

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

White Paper On. PCI DSS Compliance And Voice Recording Implications

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Transcription:

PCI Data Security Standards Presented by Pat Bergamo for the NJTC February 6, 2014

Introduction 3/3/2014 2

Your Speaker Patrick Bergamo, CISSP Director of Information Security & Delivery Delta Corporate Services Security consultant to Fortune 500 companies and the Federal government Over 35 years of IT experience ITIL Certified 3/3/2014 3

Definition of PCI 3/3/2014 4

PCI = Payment Card Industry Payment Card Industry (PCI) Security Standards Council Formed in 2006 Discover, American Express, JCB (Japan), MasterCard and Visa Council consists of representatives of founding organizations PCI Security Standards Council s Purpose Councils Purpose: To achieve best practice standardization within the credit card industry as an on-going activity 3/3/2014 5

Payment Card Industry Data Security Standard (PCI DSS) 3/3/2014 6

PCI DSS Consists of 12 Requirements Numerous directives for each requirement Security-based 3/3/2014 7

The 12 PCS DSS Requirements PCI Data Security Standard - High Level Overview Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 3/3/2014 8

PCI Compliance Level Determination PCI Compliance Determined by each card provider Based on volume of transactions and the number of points where information is stored Four PCI Compliance Levels Level 1 requires complete compliance and assessment on an annual basis Levels 2 4 requires compliance on specific security controls evaluated using a Self Assessment Questionnaire (SAQ) 3/3/2014 9

PCI Compliance Levels: Visa Example PCI Level 1 Over 6 million annual transactions PCI Level 2 1 to 6 million annual transactions PCI Level 3 20,000 to 1 million annual transactions PCI Level 4 Less than 20,000 annual transactions 3/3/2014 10

Enforcement & Penalties Determined by Card Provider Up to $500,000 per data security incident Up to $50,000/day for non-compliance with PCI DSS Liability for losses due to fraud Payment for Card re-issuance Suspension of account 3/3/2014 11

PCI DSS A Common Set of Data Tools Card Number Name (and address) Expiration Date Security Code PIN 3/3/2014 12

Track 1 Magnetic Strips/Stripes Card number and expiration date, name, country code, and a three-digit service code Discretionary information, such as an account flag or PIN Track 2 Developed by the American Banking Association Read by standard ATMs and point of sale credit card readers Mostly the same information as track one, including the cardholder's name, account number, expiration date, encrypted PIN number and service code, as well as leaving room for other discretionary data Track 3 No standard for data format or contents May be used to store country codes, transaction authorizations, currency units, balance limits or other account information. On some credit cards, track three is omitted altogether 3/3/2014 13

Security Code Types CVC1 or CVV1 CVC1 or CVV1 is encoded on track-2 of the magnetic strip of the card and used for card present transactions CVV2 or CVC2 The most cited code, CVV2 or CVC2, is often sought by merchants for card not present transactions. 3/3/2014 14

PCI Considerations 3/3/2014 15

PCI Considerations Encrypted retail information has been decoded 3/3/2014 16

PCI Considerations Credit cards have security codes, but they typically have a reasonable maximum for which credit card holder is liable. 3/3/2014 17

PCI Considerations Debit cards require a PIN, but your entire account is exposed. 3/3/2014 18

PCI Future Trends 3/3/2014 19

PCI Future Trends Intelligent Chips (instead of magnetic strips) Biometrics Cash? 3/3/2014 20

PCI Considerations PCI DSS Compliance does not mean compliance with nationally recognized standards (NIST, ISO). 3/3/2014 21

Contact Information Patrick Bergamo, CISSP Director of Information Security & Delivery pbergamo@deltacorp.com 800-delta20 x4948 mobile: 973-479-5625 Delta Corporate Services, Inc. A Business & IT Consulting Company 3/3/2014 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information