PCI DSS Compliance Services January 2016



Similar documents
PCI DSS Compliance Information Pack for Merchants

Credit Card Processing, Point of Sale, ecommerce

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Payment Card Industry (PCI) Data Security Standard

How To Protect Your Credit Card Information From Being Stolen

How To Protect Your Business From A Hacker Attack

Frequently Asked Questions

Payment Card Industry (PCI) Data Security Standard

Adyen PCI DSS 3.0 Compliance Guide

Introduction to PCI DSS

Merchant guide to PCI DSS

PCI Security Standards Council

Data Security Basics for Small Merchants

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Security Compliance

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

PCI Compliance Overview

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS. CollectorSolutions, Incorporated

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standard

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Payment Card Industry (PCI) Data Security Standard

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

University of Sunderland Business Assurance PCI Security Policy

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Payment Card Industry Data Security Standards.

Property of CampusGuard. Compliance With The PCI DSS

How To Ensure Account Information Security

Becoming PCI Compliant

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

An article on PCI Compliance for the Not-For-Profit Sector

The PCI DSS Compliance Guide For Small Business

Achieving PCI Compliance for Your Site in Acquia Cloud

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI DSS and SSC what are these?

PCI Compliance for Cloud Applications

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Standards: A Banking Perspective

A Compliance Overview for the Payment Card Industry (PCI)

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

White paper. How to take your contact centre out of scope for PCI DSS. Reducing cost and risk in credit card transactions for contact centres

Two Approaches to PCI-DSS Compliance

SecurityMetrics Introduction to PCI Compliance

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

La règlementation VisaCard, MasterCard PCI-DSS

PCI Data Security Standards

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Payment Card Industry Data Security Standards

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Payment Card Industry (PCI) Data Security Standard

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Securing The Data. Payment System Forum Bank Negara Malaysia. 27 th November Murugesh Krishnan Head of Risk, South & Southeast Asia

Payment Card Industry Compliance Overview

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Registration and PCI DSS compliance validation

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI DSS. Payment Card Industry Data Security Standard.

EMV and Small Merchants:

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Third Party Agent Registration and PCI DSS Compliance Validation Guide

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Transcription:

PCI DSS Compliance Services January 2016 20160104-Galitt-PCI DSS Compliance Services.pptx

Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 2

Introduction Global trends Advances in the payment sector have created opportunities for card-based payments over various channels : face-to-face, internet, mobile Contactless Cards & NFC Mobile Acceptance E-commerce & M-commerce Digital Wallets Chip on the Cloud / HCE Rise of card payments across the globe (Card Present & Card Not Present) Growth of fraud and security breaches In 2014, card-based payment fraud in France is estimated to 395,6 million euros, with a projection for a 10% increase every year Copyright Galitt 3

Introduction The French card-based payment eco-system Embedded security at various levels Payment transaction authorisation management (e-rsb) Use of EMV Chip-and-PIN vs. magnetic stripe cards Extended interoperability between domestic banks Benefits Convenience for the cardholder High transaction processing and payment guarantee for merchants Following a data breach in France, fraud may be performed wherever an equivalent security framework is not enforced. This risk must not be underestimated; everyone must take responsibility for protecting cardholder data from compromise. BUT BEWARE! Copyright Galitt 4

Introduction The impacts of a data breach Damage of reputation and loss of credibility Depending on the extent of the breach, brand value may be highly impacted, dropping of 17% to 31% Average reputation recovery time is of 11,8 months Financial loss Average cost of data breach (total): 2,9M Average cost of data breach (per record) : 127 Re-issuing of compromised cards Loss of revenue Penalties from card brands Collateral damages: business consequences Loss of credibility by business partners: card brands, banks, service providers, merchants, Key impacts Damage of reputation and brand value Remediation of security vulnerabilities Card brand penalties Fraud costs High attrition rate (e.g. 4,4% in France) 5 (*) Source: «2011-Ponemon_reputation_impact_of_a_compromission» (**) Source: Report ''Cost of Data Breach' of Ponemon Institute et Symantec June, 2013 Copyright Galitt 5

Introduction Data breach figures in France and abroad Attacks and fraud schemes perpetrated in France 3x Compromise of merchant points of sale and ATMs has tripled between 2011 and 2012, according to the GIE CB report. 160K Loss of 160 000 euros in a MIM card fraud scheme performed against a large merchant in 2014/2015. 188 560 Approximately 200 points of sale terminals were hacked in 2013 while only 30 were compromised in 2011. Over 500 gas pumps were compromised in 2014, rising from 188 in 2012 (source: 2014 OSCP report) Data breaches abroad Hacking of a US leading hotel group in September 2015, compromising payment terminals in restaurants, bars and gifts shops. 80M 80 millions customers could be impacted by data compromised within a US leading health insurance company (2015) Increase of face-to-face merchants accepting CB counterfeit cards in France, compromised through fraud schemes abroad (source: GIE CB report) (**) OSCP : Observatoire de la Sécurité des Cartes de Paiement Copyright Galitt 6

Introduction Darknet markets Large volumes of card data reselling on «Carding» websites Average value on the market: Stolen cardholder data Primary Account Number (PAN) and CVX2: 1 Magnetic stripe data: from 8 to 73 «White plastic» card with magnetic stripe: 100 Magnetic stripe data and PIN code: 1 000 Fraud kits Malware: from 1 000 to 2 000 Skimming equipment: from 1 000 to 2 000 Fraud opportunities based on stolen cardholder data PAN: purchase of goods in insecure e-commerce websites (no CVX2 validation) PAN + Expiry Date + CVX2: purchase of goods in classic e-commerce websites Complete ISO2 magnetic stripe : card-present transactions in non-emv environments Complete ISO2 magnetic stripe data + PIN : card-present transactions and cash withdrawal in non-emv environments Copyright Galitt 7

Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 8

Overview of the PCI DSS standard Background Initially developed by the 5 card brands below Supported by major players in the payment card industry (e.g. smartcard and terminal manufacturers) Objectives of PCI standards Reduce card fraud by protecting cardholder data Define a common approach and set of rules to be adopted by major card brands, based on existing cardholder data protection programmes Define a set of industry-wide requirements and processes through different standards Copyright Galitt 9

Overview of the PCI DSS standard PCI DSS aims to protect Cardholder Identification and Sensitive Authentication Data Track-equivalent data also stored in the chip Magnetic stripes (tracks 1 and 2 containing PIN block Personal Identification Number encrypted PIN and Service Code) Bank Logo Primary Account Number (PAN) 123 Cardholder name Expiry date Card verification code (CAV2/CVC2/CVV2/CID) Cardholder Identification Data Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Sensitive Authentication Data Full track data (magnetic-stripe data or equivalent on a chip) CVX2 (CAV2/CVC2/CVV2/CID) PINs/PIN blocks Copyright Galitt 10

Overview of the PCI DSS standard Who s subject to PCI DSS? PCI DSS applies to all entities involved in payment card processing that either store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD): Merchants that accepts card-based payments from one or many card brands Payment Service Providers (PSP) Acquiring and Issuing banks PCI DSS is used as a technical and operational standard to protect cardholder data. The table below provides a high-level overview of the 12 PCI DSS requirement groups: Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel Copyright Galitt 11

Overview of the PCI DSS standard Merchant profiles vs. PCI DSS compliance validation requirements LEVEL MERCHANT PROFILE COMPLIANCE VALIDATION REQUIREMENTS 1 2 3 4 Merchants processing more than 6 million Visa or MasterCard transactions annually via all channels Merchants that have been compromised Merchants identified as a level 1 by another card brand Any merchant designated by the card brand at its discretion Merchants processing between 1 and 6 million Visa or MasterCard transactions annually via all channels. Merchants identified as a level 2 by another card brand Merchants processing from 20,000 to 1 million Visa or MasterCard e-commerce transactions annually. Merchants identified as a level 3 by another card brand. Merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions annually. Non e-commerce merchants processing up to 1 million Visa transactions annually. Annual Report on Compliance (ROC) following an on-site audit by either a Qualified Security Assessor (QSA) or qualified Internal Security Auditor (ISA) Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) Exemption: declassification to a level 2 in case of 95% EMV transactions Annual Self-Assessment Questionnaire (SAQ). Assistance by a Qualified Security Assessor is required. Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) Annual Self-Assessment Questionnaire (SAQ) Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) Exemption: scan exemption for merchants using certified solutions Annual Self-Assessment Questionnaire (SAQ) Quarterly vulnerability scan by an Approved Scanning Vendor (ASV) Attestation of Compliance form (AoC) The merchant profile is defined based on the total number of transactions processed by the merchant s multiple acquiring banks. Domestic transactions performed with co-badged cards (VISA or MasterCard + Carte Bancaire) must also be accounted for. Copyright Galitt 12

Agenda 1. Introduction 2. Overview of the PCI DSS standard 3. PCI DSS compliance approach Copyright Galitt 13

PCI DSS compliance approach A PCI DSS compliance program may transform the organisation not only from a technical perspective, but also from a business processes standpoint. The success of such a program depends on the involvement and contribution of different business functions : people. Key questions 1 2 What is the scope of my organisation subject to PCI DSS? How can this scope be reduced? Platforms Operating Systems HR Payment processes Project sponsors Contributors Information Systems IT Business processes People Project governance Finance Accounting Project Managers Senior Management Legal Networks Databases 3 What is the best compliance strategy for my organisation? Applications Copyright Galitt 14

PCI DSS compliance approach Key drivers and challenges for conducting a PCI DSS compliance program Drivers Challenges X Improved risk management approach, which as a result, reduces the likelihood of security breaches and data theft. Perception as a trusted partner as security is demonstrated to be a priority within organisation. Reduce or avoid financial penalties by card brands in case of data theft by demonstrating compliance and a strong security posture. Defining the scope of the program is a complex task and often requires the help of a QSA. Roles and responsibilities to deliver the program are often unclear. Obtaining support from Senior Management is key to the success of the program and therefore mandatory. Maintaining the state of compliance as the environment rapidly evolves. Adopt PCI DSS as a security baseline, enforcing best practice to protection general sensitive data. PCI DSS work streams being deprioritized due to budget constraints and other internal, competing initiatives. Copyright Galitt 15

COMPLIANCE REMEDIATION Project management PLANNING & PREPARATION PCI DSS compliance approach Galitt can assist your organisation throughout all phases of a PCI DSS compliance program Definition of the Cardholder Data Environment (scope) Business Process and Applications Mapping PCI DSS Compliance Strategy and Roadmap PCI DSS training and awareness PCI DSS Gap Analysis and Remediation Plan Consulting, implementation of security controls, remediation of findings Certification audit (Level 1 merchants) Self Assessment Questionnaire (Merchants of level 2, 3 and 4) External vulnerability scans from an «Approved Scanning Vendor» Copyright Galitt 16

Galitt contact details Thank you! Contacts Rémi GITZINGER Director - Payment Consulting +33 1 77 70 28 59 r.gitzinger@galitt.com Bruno KOVACS Consulting Manager & QSA +33 1 77 70 28 12 b.kovacs@galitt.com www.galitt.com www.galitt.us Copyright Galitt US 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information